mame82
commented
6 years ago Does this problem still occur with latest release ?
Open 0-d-0 opened 6 years ago
mame82
commented
6 years ago Does this problem still occur with latest release ?
So I've been trying to use this on a lab computer at school that's been disconnected from the network. (I have permission) I have P4wn-P1 on a Pi zero W.
The HID backdoor sounded like something fun to mess with. I was using it on a Windows 7 target and connecting through wifi on my laptop.
Whenever I fire stage 1, it would open up a help window for Net Support School, which is installed on the lab computers, and fill out one of the forms in that window, preventing it from working. This isn't really too relevant except I looked up the manual and found the keyboard shortcut for the help window which is both shift keys and alt.
After some debugging of P4wnP1.py in hidtools/backdoor I found that the culprit is somehow the DELAY statements (or something else with duckencoder) that are used when first opening the run window or after initially launching powershell. Or I'm doing something wrong :-)
I used pdb and placed several traces to follow what ps_stub looked like before being sent to duckencoder (pardon if my terminology is bad I'm new to security/programming). I noticed that if I removed the DELAY statement (using pdb) after GUI r, then powershell would launch properly, but the support window would come up. Removing the other default delay that gets appended to the end as well got rid of this.
However, this means I can't use delays, so payloads are dysfunctional for a different reason.
If I just go and remove NetSupport it works.
It could just be NetSupport doing something somehow but I don't know, it doesn't seem like it would.
edit - I forgot to mention that all of the security features of netsupport are disabled.