The Java Signed Applet attack is a very well known and used Social Engineering attack vector for getting reliable code execution on a system. As many of you may know, Oracle recently released an update that prevents self-signed applets from executing. Because of this, this attack just got a little more difficult to execute. In my opinion, this attack vector is close to dead. As a result, Pentesters will need to start looking at other reliable methods for getting code execution through Social Engineering. I have done a little work on this over the past few weeks, so I figured I would put all the information in one place.
This attack technique leverages Invoke-Shellcode. You have 2 options when using this attack. You can either host Invoke-Shellcode, or you can use @mattifestation‘s PowerSploit module and embed Invoke-Shellcode within the macro. Here’s an example:
Out-EncodedCommand -ScriptBlock ([scriptblock]::Create((ls Function:\Invoke-Shellcode).Definition + “Invoke-Shellcode -Shellcode (@(1,2,3)) -Force`n`n”)).
If you haven’t looked at PowerSploit, check it out. It is a great tool.
1. Disable Proxy Settings
This macro disables any proxy settings, executes a payload and then persists by adding 2 scheduled tasks. One executes a payload after 30 minutes of idle time and the other kills any proxy settings after 30 minutes of idle time. This macro will take care of any troublesome proxies.
The code for this can be found here:
https://github.com/enigma0x3/Office-Client-Side-attack/blob/master/ProxyMacro
And a walk-though can be found here:
https://enigma0x3.wordpress.com/2014/01/15/new-feature-added-to-powershell-payload-excel-delivery/
2. Persist with Scheduled Tasks
This macro simply executes a payload and then persists by scheduling a task that executes a new payload after 30 minutes of idle time.
The code can be found here:
https://github.com/enigma0x3/Office-Client-Side-attack/blob/master/SchTasksMacro
And a walk-through can be found here:
https://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/
3. Web Persistence
This macro executes a payload and then creates a registry key that executes a hosted persistence script. This persistence script basically goes out and checks the set website for the set keyword. If the keyword is found, it executes a new payload.
The code can be found here:
https://github.com/enigma0x3/Office-Client-Side-attack/blob/master/WebPersistenceMacro
And a walk-through can be found here:
4. Persist by dropping malicious Normal.dotm and calling it on startup:
The code can be found here:
https://github.com/enigma0x3/WordPersistence
And a walk-through can be found here:
https://enigma0x3.wordpress.com/2014/01/23/maintaining-access-with-normal-dotm/
Hopefully this can be of some use. Let me know if you have questions or problems. *RIP Signed Java Applet Attack*
-Matt Nelson (@enigma0x3)
Again, nice work Matt! Just so that people are aware, hosting Invoke-Shellcode isn’t absolutely necessary. You can certainly embed a compressed, encoded version of the payload in the within the macro. Here’s an example of how you could automate the generation of the payload using PowerSploit (assuming the module is loaded):
Out-EncodedCommand -ScriptBlock ([scriptblock]::Create((ls Function:\Invoke-Shellcode).Definition + “Invoke-Shellcode -Shellcode (@(1,2,3)) -Force`n`n”))
Cheers,
Matt
Thanks for the feedback Matt! I didn’t dig that deep. I have updated the post 🙂 Thanks for all the work you do…PowerSploit is an epic tool!