search

OpenBAS-Platform / openbas

Open Breach and Attack Simulation Platform
https://openbas.io
Other
695 stars 75 forks source link

Error on executable payload not handle correclty #1897

Open RomuDeuxfois opened 2 days ago

RomuDeuxfois commented 2 days ago

Description

When I launch an executable file and there are an error in the execution, the inject status is: INJECT EXECUTED.

My payload: 

$url = "https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png"
$imgLocation = "$env:TEMP\T1491.001-newWallpaper.png"
$orgWallpaper = "C:\Users\RomualdLemesle\Pictures\joker-batman-the-dark-knight-heath-ledger-wallpaper-preview.jpg"
$orgWallpaper | Out-File -FilePath "$env:TEMP\T1491.001-OrginalWallpaperLocation"
$updateWallpapercode = @'
using System.Runtime.InteropServices;
namespace Win32{

    public class Wallpaper{
        [DllImport("user32.dll", CharSet=CharSet.Auto)]
         static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;

         public static void SetWallpaper(string thePath){
            SystemParametersInfo(20,0,thePath,3);
        }
    }
}
'@

$wc = New-Object System.Net.WebClient
try {
    $wc.DownloadFile($url, $imgLocation)

    # Vérifier et ajouter le type si nécessaire
    if (-not ("Win32.Wallpaper" -as [type])) {
        Add-Type -TypeDefinition $updateWallpapercode
    }

    [Win32.Wallpaper]::SetWallpaper($imgLocation)
}
catch [System.Net.WebException] {
    Write-Host("Cannot download $url")

    if (-not ("Win32.Wallpaper" -as [type])) {
        Add-Type -TypeDefinition $updateWallpapercode
    }

    [Win32.Wallpaper]::SetWallpaper($imgLocation)
}
finally {
    $wc.Dispose()
}

The result in UI: Image

The log: 

{"timestamp":"2024-11-20T11:07:31.992308Z","level":"INFO","fields":{"message":"Starting OpenBAS implant 1.8.1 production","log.target":"openbas_implant","log.module_path":"openbas_implant","log.file":"src\\main.rs","log.line":152},"target":"openbas_implant"}
{"timestamp":"2024-11-20T11:07:32.098651Z","level":"INFO","fields":{"message":"file execution execution: \"wallpaper.ps1\"","log.target":"openbas_implant::handle::handle_file","log.module_path":"openbas_implant::handle::handle_file","log.file":"src\\handle\\handle_file.rs","log.line":18},"target":"openbas_implant::handle::handle_file"}
{"timestamp":"2024-11-20T11:07:33.359553Z","level":"INFO","fields":{"message":"file execution execution stdout: \"\"","log.target":"openbas_implant::handle::handle_execution","log.module_path":"openbas_implant::handle::handle_execution","log.file":"src\\handle\\handle_execution.rs","log.line":18},"target":"openbas_implant::handle::handle_execution"}
{"timestamp":"2024-11-20T11:07:33.359573Z","level":"INFO","fields":{"message":"file execution execution stderr: \"\"","log.target":"openbas_implant::handle::handle_execution","log.module_path":"openbas_implant::handle::handle_execution","log.file":"src\\handle\\handle_execution.rs","log.line":19},"target":"openbas_implant::handle::handle_execution"}