.net 4 payload generation issues

mdsecactivebreach / SharpShooter

Payload Generation Framework

BSD 3-Clause "New" or "Revised" License

1.8k stars 350 forks source link

.net 4 payload generation issues #8

Closed SSATKINS closed 6 years ago

SSATKINS commented 6 years ago

Payload generation for .net 4 results in a prompt on a default Windows 10 installation to install .net 3.5.

This is via command line and interactive methods.

I believe the confusion is in the code where 1=.net 2 and 2=.net 4 and a decision is made where 2 (meaning .net 4) takes .net 2 instead.

Result is .net 2 payloads are always generated.

Easily missed if testing from a Windows 10 system that has had older .net installed.

dmchell commented 6 years ago

Can you provide an example command line you're using? I'm not able to reproduce this...

e.g. $ python SharpShooter.py --stageless --dotnetver 4 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee

This generates a v4 payload - you can tell by enabling the print on line 537, where the created output uses Wscript.shell.

SSATKINS commented 6 years ago

Using the syntax above I confirm that the output is .net version 4.0 as the print statement shows the use of WScript.Shell.

However this triggers the prompt for .NET Framework 3.5 installation on a fresh Windows 10 install.

This can be remediated by replacing your SetVersion sub with the one in Vincent's commit 12 days ago here: https://github.com/vysec/CACTUSTORCH/commit/9527c13a019a44f5368873aeb9828847321b8cf0

This bypasses Sophos, ESET etc. but Windows Defender picked up on execution of the output HTA from the above exercise. I'm not sure at this stage what it flagged on.

dmchell commented 6 years ago

I'll give the setversion stub a test and see how it fares.

In terms of defender, you may want to review #9. This should be a case of just using some opsec shellcode, or using the encrypter referenced in the issue.

SSATKINS commented 6 years ago

Looks like #9 is the Defender issue - thanks.

Feel free to close if the setversion prevents the .NET Framework popup 👍

dmchell commented 6 years ago

Tracked this down and fixed in this commit https://github.com/mdsecactivebreach/SharpShooter/commit/d9750be14b5e5218605dfc3d88225dc8b5c51e9d

dmchell commented 6 years ago

Thanks @SSATKINS

myexploit commented 5 years ago

Sorry about adding this to issue 8 but seems the closest to what i'm getting.

Using a fresh span up Win 10 from developer.microsoft.com Build 17763.rs5_release.180914-1434

python SharpShooter.py --stageless --dotnetver 4 --payload hta --output foo --rawscfile /root/Desktop/payload.bin --sandbox 4 --smuggle --template mcafee

I’m getting the following error on my Win 10 VM.

An app on your PC needs the following Windows feature:
.NET Framework 3.5 (includes .NET 2.0 and 3.0)

The HTA works fine with Windows 7.