Wednesday, April 26, 2017
Obfuscating Strings
While I was able to create a Word document macros to setup a reverse shell, I did have difficulty transferring it to the test virtual machines. I originally planned to setup an email account and email the document to the vms. However, I was unable to attach the document to the email, as Gmail and Inbox both detected that the document “contained a virus.” In order to get around this I setup a Dropbox account to upload the document. I then logged into the Dropbox account from the test virtual machines and downloaded the document successfully bypassing my email problem. I did want this project to be able to be transferred through email, however so I did a little bit of research. After searching through a few articles and tutorials online, I found several mentions or recommendations to obfuscate the strings that were found within the macros. These strings made up a majority of the malicious code found within macros as it was the command that was passed along to a cmd session from the document. I decided to about by transferring all of the characters to the ascii decimal values, in addition to adding more variables to the macro. This is annoying to do, however, especially as strings that need to obfuscated grow in length. So I created a python script to obfuscate it for me! This script will have the user enter a string. The program will then divide the string into ten character chunks, and make that many randomly named variables. Each of these variables will be assigned a chunk of ascii encoded characters that look like ChrW(89) from the string that user entered. The program will then randomly print out these randomized strings in a format read by Visual Basic before having a final line that compiles the strings together to be read as the string that the user input. After running the command string of the Macro through this obfuscation program, I transferred the output to the macro. This obfuscated macro was able to be uploaded to and sent through both Gmail and Inbox, successfully passing through whatever check Google would perform upon attachments.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment