PoC is not working on my side about zipexec HOT 16 CLOSED

@adelicato @Sh0ckFR I see a bug with the zip function handling full and relative paths. I am working to address it right now. If you use the current folder where the zipexec binary is living i.ie -I binary.exe, -o output.js, rather than /home/user/... it should be a quick workaround while I fix this. @Acey34 Once I address this bug I will provide something along those lines.

from zipexec.

We would appreciate if @Tylous can provide with a short video of the PoC

from zipexec.

@Acey34 I am still tweaking things to make sure all potential inputted paths work. I will add something demo-wise shortly afterward.

from zipexec.

That bug should be fixed. As for the Defender comment, @Sh0ckFR Defender is probably catching it at runtime. This technique helps avoid everything but that. When a payload runs it acts the same way as it would if you just double-clicked it and ran. This is simply a unique way of delivering a binary-based payload to an endpoint and protecting it on disk.

from zipexec.

I agree with you, it does not work on my side either

from zipexec.

Two things come to mind, the first is the windows 10 machine on a domain? if it's not it won't work because the -sandbox will only allow it to run on Domain-Joined systems. The second is the binary itself. It might be worth trying different loaders.

from zipexec.

Mine is just in the WORKGROUP, why is it mandatory to be part of a domain? I have tried a bunch of different binaries so I will try adding the machine to a domain and see what happens

from zipexec.

If its not domain-joined then don't use the -sandbox flag

from zipexec.

On my side, I tested both options, with -sandbox flag and and without, my binary is a classic cobalt-strike beacon and nothing happening (in stageless or stagefull mode)

My windows vm version is a windows 10.0.19043, I will try on another vm with a different version tomorrow

from zipexec.

I have tried both with and without the -sandbox flag and it does not work (with a bunch of different binaries as I said before). Could you provide a working binary (and a way to check if it worked)?

from zipexec.

@Acey34 Nope, and I checked the %temp% directory, the zip file is not present

from zipexec.

when i run the js, the exe created in %TEMP% was caught by the anti-malware...

from zipexec.

@Tylous I can confirm, it is working with stageless payloads without absolute paths, but yes like specified by @dennis268 the payload is detected by Windows Defender, I'm able to avoid the AV with my custom payload but I guess, this is not the goal here (interesting way anyway)

from zipexec.

@Sh0ckFR If the issue has been resolved, should we close the thread?

@Tylous Also, I would appreciate it if you can add a quick demo of the PoC along the fixes as well.

from zipexec.

@Acey34 I will close the thread once the bug is fixed and I also hope that the detection can be avoided, if so, it will be a really nice PoC

from zipexec.

Okay, I totally understand, this is a normal behavior then, good job, I close this thread

from zipexec.