search

mitre-attack / attack-arsenal

A collection of red team and adversary emulation resources developed and released by MITRE.
Apache License 2.0
485 stars 79 forks source link

Day 1: SeaDuke Payload #13

Closed leegengyu closed 4 years ago

leegengyu commented 4 years ago

This is the last command found in the preparation of the SeaDuke payload in payload_configs.md: pyinstaller -F python.py --upx --brute python.exe

According to the PyInstaller documents on using UPX, , there does not seem to be a --upx option available.

Running it on the command prompt also shows that such an option was rejected in my case: crucial2

From my understanding, in addition to not having --upx, it does not seem possible to pass UPX-related options to the pyinstaller command, i.e. I could not pass the --brute option to pyinstaller, which would run with UPX.

The command which worked for me was pyinstaller -F python.py --upx-exclude vcruntime140.dll.

Without excluding vcruntime140.dll, the meterpreter session from python.exe would not be opened, as the executable would exit with an error code of -1: Crucial

According to a user in an issue opened on PyInstaller's end, "UPX compression strips the SHA Digital Signature from vcruntime140.dll so it is no longer seen as valid."

  1. Is there a version of pyinstaller that runs with the option --upx that I was unaware of?
  2. Is there a way to pass the option of --brute to the UPX that is running with PyInstaller (if my version of the command is correct)?
jcwilliamsATmitre commented 4 years ago

hey @leegengyu!

Those are actually two separate commands that got merged somehow 🤦‍♂️

1. pyinstaller -F python.py
2. upx --brute python.exe

The 2nd is using https://github.com/upx/upx, I have sent a pull to update the instructions. Sorry about the confusion and thanks for running down all these issues!