TheWover / donut

Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
BSD 3-Clause "New" or "Revised" License
3.61k stars 638 forks source link

VBS payload not executing #10

Closed FuzzySecurity closed 5 years ago

FuzzySecurity commented 5 years ago

I tried to generate a simple VBS testcase, my payload file only contains this: MsgBox "Hello Donut!", VBOKOnly

The shellcode does not execute however. Below is the donut debug output:

C:\Users\b33f>C:\Users\b33f\Desktop\donut-master\donut.exe -f C:\Users\b33f\Desktop\test.vbs -o C:\Users\b33f\Desktop\test.bin
  [ Donut shellcode generator v0.9.2
  [ Copyright (c) 2019 TheWover, Odzhan
DEBUG: donut.c:842:DonutCreate(): Entering.
DEBUG: donut.c:844:DonutCreate(): Validating configuration and path of file PDONUT_CONFIG: 00EFEE2C
DEBUG: donut.c:860:DonutCreate(): Validating instance type 1
DEBUG: donut.c:900:DonutCreate(): Validating architecture
DEBUG: donut.c:910:DonutCreate(): Validating AMSI/WDLP bypass option
DEBUG: donut.c:287:get_file_info(): Entering.
DEBUG: donut.c:296:get_file_info(): Checking extension of C:\Users\b33f\Desktop\test.vbs
DEBUG: donut.c:303:get_file_info(): Extension is ".vbs"
DEBUG: donut.c:307:get_file_info(): Module is VBS
DEBUG: donut.c:337:get_file_info(): Mapping C:\Users\b33f\Desktop\test.vbs into memory
DEBUG: donut.c:231:map_file(): Reading size of file : C:\Users\b33f\Desktop\test.vbs
DEBUG: donut.c:240:map_file(): Opening C:\Users\b33f\Desktop\test.vbs
DEBUG: donut.c:250:map_file(): Mapping 31 bytes for C:\Users\b33f\Desktop\test.vbs
DEBUG: donut.c:412:get_file_info(): Leaving.
DEBUG: donut.c:973:DonutCreate(): Creating module
DEBUG: donut.c:535:CreateModule(): Entering.
DEBUG: donut.c:539:CreateModule(): Allocating 6463 bytes of memory for DONUT_MODULE
DEBUG: donut.c:629:CreateModule(): Leaving.
DEBUG: donut.c:980:DonutCreate(): Creating instance
DEBUG: donut.c:640:CreateInstance(): Entering.
DEBUG: donut.c:643:CreateInstance(): Allocating space for instance
DEBUG: donut.c:650:CreateInstance(): The size of module is 6463 bytes. Adding to size of instance.
DEBUG: donut.c:662:CreateInstance(): Generating random key for instance
DEBUG: donut.c:668:CreateInstance(): Generating random key for module
DEBUG: donut.c:674:CreateInstance(): Generating random string to verify decryption
DEBUG: donut.c:680:CreateInstance(): Generating random IV for Maru hash
DEBUG: donut.c:685:CreateInstance(): Generating hashes for API using IV: babd7e54bb820282
DEBUG: donut.c:698:CreateInstance(): Hash for kernel32.dll    : LoadLibraryA           = A34593C31D0C22C
DEBUG: donut.c:698:CreateInstance(): Hash for kernel32.dll    : GetProcAddress         = B2795FC9DC9F3371
DEBUG: donut.c:698:CreateInstance(): Hash for kernel32.dll    : GetModuleHandleA       = 75C011E083850109
DEBUG: donut.c:698:CreateInstance(): Hash for kernel32.dll    : VirtualAlloc           = 2B203BB1E5CAA0A3
DEBUG: donut.c:698:CreateInstance(): Hash for kernel32.dll    : VirtualFree            = 11103F019F028A7E
DEBUG: donut.c:698:CreateInstance(): Hash for kernel32.dll    : VirtualQuery           = 41CE65B0A9AD3E28
DEBUG: donut.c:698:CreateInstance(): Hash for kernel32.dll    : VirtualProtect         = 7504E9E76041F3A9
DEBUG: donut.c:698:CreateInstance(): Hash for kernel32.dll    : Sleep                  = DCBBDFD31893F015
DEBUG: donut.c:698:CreateInstance(): Hash for kernel32.dll    : MultiByteToWideChar    = FE4C58A8C71668BA
DEBUG: donut.c:698:CreateInstance(): Hash for kernel32.dll    : GetUserDefaultLCID     = BE9FED813F8DCA2
DEBUG: donut.c:698:CreateInstance(): Hash for oleaut32.dll    : SafeArrayCreate        = E63853C41BFD90A4
DEBUG: donut.c:698:CreateInstance(): Hash for oleaut32.dll    : SafeArrayCreateVector  = CA27E31FD7103EEA
DEBUG: donut.c:698:CreateInstance(): Hash for oleaut32.dll    : SafeArrayPutElement    = 9A5293CA521B2082
DEBUG: donut.c:698:CreateInstance(): Hash for oleaut32.dll    : SafeArrayDestroy       = 35E5EE184B0E29BC
DEBUG: donut.c:698:CreateInstance(): Hash for oleaut32.dll    : SafeArrayGetLBound     = CBE4859AFE656F63
DEBUG: donut.c:698:CreateInstance(): Hash for oleaut32.dll    : SafeArrayGetUBound     = 5C01C1B18A17C47
DEBUG: donut.c:698:CreateInstance(): Hash for oleaut32.dll    : SysAllocString         = F377A16EFFB07660
DEBUG: donut.c:698:CreateInstance(): Hash for oleaut32.dll    : SysFreeString          = 2CEF9CA5579BB4C4
DEBUG: donut.c:698:CreateInstance(): Hash for oleaut32.dll    : LoadTypeLib            = 985260289F8462
DEBUG: donut.c:698:CreateInstance(): Hash for wininet.dll     : InternetCrackUrlA      = 47131A87EB1A73F2
DEBUG: donut.c:698:CreateInstance(): Hash for wininet.dll     : InternetOpenA          = 4FC912588DE2B663
DEBUG: donut.c:698:CreateInstance(): Hash for wininet.dll     : InternetConnectA       = 7944D8FC12654577
DEBUG: donut.c:698:CreateInstance(): Hash for wininet.dll     : InternetSetOptionA     = E5F46F9A4BB69829
DEBUG: donut.c:698:CreateInstance(): Hash for wininet.dll     : InternetReadFile       = CB3ACE4B44B126F3
DEBUG: donut.c:698:CreateInstance(): Hash for wininet.dll     : InternetCloseHandle    = E9DC0672F4A8562D
DEBUG: donut.c:698:CreateInstance(): Hash for wininet.dll     : HttpOpenRequestA       = D8BF2129B31FE23F
DEBUG: donut.c:698:CreateInstance(): Hash for wininet.dll     : HttpSendRequestA       = 1DE34AB7F9B81848
DEBUG: donut.c:698:CreateInstance(): Hash for wininet.dll     : HttpQueryInfoA         = BCDF6ED6F7662F5B
DEBUG: donut.c:698:CreateInstance(): Hash for mscoree.dll     : CorBindToRuntime       = 93DE6285FC2CDDD9
DEBUG: donut.c:698:CreateInstance(): Hash for mscoree.dll     : CLRCreateInstance      = EB15AB07B8438BD0
DEBUG: donut.c:698:CreateInstance(): Hash for ole32.dll       : CoInitializeEx         = B1A1B2BB9AA44298
DEBUG: donut.c:698:CreateInstance(): Hash for ole32.dll       : CoCreateInstance       = 56B41A3D866B36FF
DEBUG: donut.c:698:CreateInstance(): Hash for ole32.dll       : CoUninitialize         = 1909B767E54AC00B
DEBUG: donut.c:726:CreateInstance(): Copying GUID structures and DLL strings for loading VBS/JS
DEBUG: donut.c:811:CreateInstance(): Copying module data to instance
DEBUG: donut.c:816:CreateInstance(): encrypting instance
DEBUG: donut.c:828:CreateInstance(): Leaving.
DEBUG: donut.c:988:DonutCreate(): Saving instance to file
DEBUG: donut.c:1021:DonutCreate(): PIC size : 30902
DEBUG: donut.c:1028:DonutCreate(): Inserting opcodes
DEBUG: donut.c:1064:DonutCreate(): Copying 16111 bytes of x86 + amd64 shellcode
DEBUG: donut.c:268:unmap_file(): Unmapping
DEBUG: donut.c:271:unmap_file(): Closing
DEBUG: donut.c:1090:DonutCreate(): Leaving.
  [ Instance type : PIC
  [ Module file   : "C:\Users\b33f\Desktop\test.vbs"
  [ File type     : VBScript
  [ Target CPU    : x86+AMD64
  [ AMSI/WDLP     : continue
  [ Shellcode     : "C:\Users\b33f\Desktop\test.bin"

And the instance output. Note the JSError: Permission denied: 'MsgBox' line[0:0].

C:\Users\b33f\Desktop\donut-master>payload\payload.exe instance
Running...
DEBUG: payload.c:46:ThreadProc(): Maru IV : BABD7E54BB820282
DEBUG: payload.c:49:ThreadProc(): Resolving address for VirtualAlloc() : 2B203BB1E5CAA0A3
DEBUG: payload.c:53:ThreadProc(): Resolving address for VirtualAlloc() : 11103F019F028A7E
DEBUG: payload.c:62:ThreadProc(): VirtualAlloc : 75B35ED0 VirtualFree : 75B35EF0
DEBUG: payload.c:64:ThreadProc(): Allocating 14759 bytes of RW memory
DEBUG: payload.c:71:ThreadProc(): Copying 14759 bytes of data to memory 001E0000
DEBUG: payload.c:75:ThreadProc(): Zero initializing PDONUT_ASSEMBLY
DEBUG: payload.c:83:ThreadProc(): Decrypting 14759 bytes of instance
DEBUG: payload.c:90:ThreadProc(): Generating hash to verify decryption
DEBUG: payload.c:92:ThreadProc(): Instance : 86c93c034facc7ef | Result : 86c93c034facc7ef
DEBUG: payload.c:99:ThreadProc(): Resolving LoadLibraryA
DEBUG: payload.c:105:ThreadProc(): Loading ole32.dll ...
DEBUG: payload.c:105:ThreadProc(): Loading oleaut32.dll ...
DEBUG: payload.c:105:ThreadProc(): Loading wininet.dll ...
DEBUG: payload.c:105:ThreadProc(): Loading mscoree.dll ...
DEBUG: payload.c:109:ThreadProc(): Resolving 33 API
DEBUG: payload.c:112:ThreadProc(): Resolving API address for B2795FC9DC9F3371
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 75C011E083850109
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 2B203BB1E5CAA0A3
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 11103F019F028A7E
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 41CE65B0A9AD3E28
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 7504E9E76041F3A9
DEBUG: payload.c:112:ThreadProc(): Resolving API address for DCBBDFD31893F015
DEBUG: payload.c:112:ThreadProc(): Resolving API address for FE4C58A8C71668BA
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 0BE9FED813F8DCA2
DEBUG: payload.c:112:ThreadProc(): Resolving API address for E63853C41BFD90A4
DEBUG: payload.c:112:ThreadProc(): Resolving API address for CA27E31FD7103EEA
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 9A5293CA521B2082
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 35E5EE184B0E29BC
DEBUG: payload.c:112:ThreadProc(): Resolving API address for CBE4859AFE656F63
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 05C01C1B18A17C47
DEBUG: payload.c:112:ThreadProc(): Resolving API address for F377A16EFFB07660
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 2CEF9CA5579BB4C4
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 00985260289F8462
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 47131A87EB1A73F2
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 4FC912588DE2B663
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 7944D8FC12654577
DEBUG: payload.c:112:ThreadProc(): Resolving API address for E5F46F9A4BB69829
DEBUG: payload.c:112:ThreadProc(): Resolving API address for CB3ACE4B44B126F3
DEBUG: payload.c:112:ThreadProc(): Resolving API address for E9DC0672F4A8562D
DEBUG: payload.c:112:ThreadProc(): Resolving API address for D8BF2129B31FE23F
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 1DE34AB7F9B81848
DEBUG: payload.c:112:ThreadProc(): Resolving API address for BCDF6ED6F7662F5B
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 93DE6285FC2CDDD9
DEBUG: payload.c:112:ThreadProc(): Resolving API address for EB15AB07B8438BD0
DEBUG: payload.c:112:ThreadProc(): Resolving API address for B1A1B2BB9AA44298
DEBUG: peb.c:87:FindExport(): b1a1b2bb9aa44298 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx
DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx)
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 56B41A3D866B36FF
DEBUG: peb.c:87:FindExport(): 56b41a3d866b36ff is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance
DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance)
DEBUG: payload.c:112:ThreadProc(): Resolving API address for 1909B767E54AC00B
DEBUG: peb.c:87:FindExport(): 1909b767e54ac00b is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize
DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize)
DEBUG: payload.c:128:ThreadProc(): Using module embedded in instance
DEBUG: bypass.c:111:DisableAMSI(): Length of AmsiScanBufferStub is 15 bytes.
DEBUG: bypass.c:121:DisableAMSI(): Overwriting AmsiScanBuffer
DEBUG: bypass.c:136:DisableAMSI(): Length of AmsiScanStringStub is 15 bytes.
DEBUG: bypass.c:146:DisableAMSI(): Overwriting AmsiScanString
DEBUG: payload.c:139:ThreadProc(): DisableAMSI OK
DEBUG: bypass.c:325:DisableWLDP(): Length of WldpQueryDynamicCodeTrustStub is 9 bytes.
DEBUG: bypass.c:349:DisableWLDP(): Length of WldpIsClassInApprovedListStub is 18 bytes.
DEBUG: payload.c:145:ThreadProc(): DisableWLDP OK
DEBUG: inmem_script.c:46:RunScript(): Using module embedded in instance
DEBUG: wscript.c:75:Host_New(): LoadTypeLib("wscript.exe")
DEBUG: wscript.c:79:Host_New(): ITypeLib::GetTypeInfoOfGuid
DEBUG: wscript.c:84:Host_New(): HRESULT : 00000000
DEBUG: inmem_script.c:76:RunScript(): CoInitializeEx
DEBUG: inmem_script.c:81:RunScript(): CoCreateInstance(IID_IActiveScript)
DEBUG: inmem_script.c:90:RunScript(): IActiveScript::QueryInterface(IActiveScriptParse)
DEBUG: inmem_script.c:103:RunScript(): IActiveScriptParse::InitNew
DEBUG: inmem_script.c:108:RunScript(): IActiveScript::SetScriptSite
DEBUG: activescript.c:58:ActiveScript_QueryInterface(): IActiveScriptSite::QueryInterface
DEBUG: activescript.c:79:ActiveScript_AddRef(): IActiveScriptSite::AddRef : m_cRef : 1
DEBUG: activescript.c:149:ActiveScript_GetLCID(): IActiveScriptSite::GetLCID
DEBUG: activescript.c:171:ActiveScript_OnStateChange(): IActiveScriptSite::OnStateChange
DEBUG: activescript.c:58:ActiveScript_QueryInterface(): IActiveScriptSite::QueryInterface
DEBUG: inmem_script.c:115:RunScript(): IActiveScript::AddNamedItem("WScript")
DEBUG: inmem_script.c:122:RunScript(): IActiveScriptParse::ParseScriptText
DEBUG: inmem_script.c:128:RunScript(): IActiveScript::SetScriptState(SCRIPTSTATE_CONNECTED)
DEBUG: activescript.c:79:ActiveScript_AddRef(): IActiveScriptSite::AddRef : m_cRef : 2
DEBUG: activescript.c:177:ActiveScript_OnEnterScript(): IActiveScriptSite::OnEnterScript
DEBUG: activescript.c:58:ActiveScript_QueryInterface(): IActiveScriptSite::QueryInterface
DEBUG: activescript.c:58:ActiveScript_QueryInterface(): IActiveScriptSite::QueryInterface
DEBUG: activescript.c:79:ActiveScript_AddRef(): IActiveScriptSite::AddRef : m_cRef : 3
DEBUG: activescript.c:58:ActiveScript_QueryInterface(): IActiveScriptSite::QueryInterface
DEBUG: activescript.c:58:ActiveScript_QueryInterface(): IActiveScriptSite::QueryInterface
DEBUG: activescript.c:89:ActiveScript_Release(): IActiveScriptSite::Release : m_cRef : 2
DEBUG: activescript.c:123:ActiveScript_OnScriptError(): IActiveScriptSite::OnScriptError
DEBUG: activescript.c:133:ActiveScript_OnScriptError(): IActiveScriptError::GetExceptionInfo
DEBUG: activescript.c:136:ActiveScript_OnScriptError(): IActiveScriptError::GetSourcePosition
DEBUG: activescript.c:142:ActiveScript_OnScriptError(): JSError: Permission denied: 'MsgBox' line[0:0]
DEBUG: activescript.c:183:ActiveScript_OnLeaveScript(): IActiveScriptSite::OnLeaveScript
DEBUG: activescript.c:89:ActiveScript_Release(): IActiveScriptSite::Release : m_cRef : 1
DEBUG: activescript.c:171:ActiveScript_OnStateChange(): IActiveScriptSite::OnStateChange
DEBUG: inmem_script.c:137:RunScript(): IActiveScriptParse::Release
DEBUG: inmem_script.c:140:RunScript(): IActiveScript::Close
DEBUG: activescript.c:171:ActiveScript_OnStateChange(): IActiveScriptSite::OnStateChange
DEBUG: activescript.c:171:ActiveScript_OnStateChange(): IActiveScriptSite::OnStateChange
DEBUG: activescript.c:171:ActiveScript_OnStateChange(): IActiveScriptSite::OnStateChange
DEBUG: activescript.c:89:ActiveScript_Release(): IActiveScriptSite::Release : m_cRef : 0
DEBUG: inmem_script.c:143:RunScript(): IActiveScript::Release
DEBUG: inmem_script.c:147:RunScript(): Erasing script from memory
DEBUG: inmem_script.c:150:RunScript(): VirtualFree(script)
DEBUG: payload.c:188:ThreadProc(): Erasing RW memory for instance
DEBUG: payload.c:191:ThreadProc(): Releasing RW memory for instance
odzhan commented 5 years ago

Hello. I'm guessing this has something to do with IActiveScriptSiteUIControl or IActiveScriptSiteWindow not being implemented. Will have a look now.

odzhan commented 5 years ago

activescript.c was updated to support the IActiveScriptSiteWindow interface. It will probably require further testing, but so far, MsgBox and InputBox appear to work. Let me know how it works for you and thanks for reporting this.

FuzzySecurity commented 5 years ago

Hey @odzhan it is working for me, I'll open a new issue if anything else comes up! image

Big thanks to you and @TheWover for your work on this project :heart: