-
Notifications
You must be signed in to change notification settings - Fork 812
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.hta's Broken in latest unicorn? #34
Comments
I am having the exact same issue. Except on mine I receive four different script errors. Same window as you have shown above. All related to ')'. |
Thanks for the report, will take a peek today and get a fix out. |
Definitely a quoting issue with the new obfuscated technique introduced the single quotes are injected into the command. I'll figure out a workaround. |
Thanks for the report, I've just released version 2.6 which fixes the escaping issue. I also decided to take a first stab at obfuscation of the HTA attack vector. i know things such as WScript.Shell could pop so I've randomized all of that and the variable names. Should be much harder to detect. Thanks for the report and let me know if there's anything else! -Dave |
I'm no longer able to generate working .hta's using unicorn. I was wondering if you could confirm this is a legitimate issue, or is this just me?
I've generated working payloads on my setup before pulling the latest from GitHub. The problem appears to be that the .hta generated has some sort of syntax error, maybe from unbalanced quotes?
Steps to Recreate
or, if you have it, update to the latest:
Temporary Workaround
Reverting to version 2.4.2 appears to fix the issue:
Additional Details
I believe the issue is the quoting right before the larger base64 part of the payload (right before “STUFF” in this comparison for example). Reverting to 2.4.2, right before commit 8fc0a81, appears to resolve the error message and allow proper payload execution.
2.4.2:
2.4.3
So it could be related to this commit: 8fc0a81
The text was updated successfully, but these errors were encountered: