• Stars
    star
    212
  • Rank 186,063 (Top 4 %)
  • Language
    C#
  • License
    BSD 3-Clause "New...
  • Created almost 2 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Aladdin

           .-.
          [.-''-.,
          |  //`~\)
          (<| 0\0|>_
          ";\  _"/ \\_ _,
         __\|'._/_  \ '='-,
        /\ \    || )_///_\>>
       (  '._ T |\ | _/),-'
        '.   '._.-' /'/ |
        | '._   _.'`-.._/
        ,\ / '-' |/
        [_/\-----j
   _.--.__[_.--'_\__
  /         `--'    '---._
 /  '---.  -'. .'  _.--   '.
 \_      '--.___ _;.-o     /
   '.__ ___/______.__8----'
     c-'----'
  Lefty @lefterispan - Nettitude Red Team - 2022 / 2023 

About

Aladdin is a payload generation technique based on the work of James Forshaw (@tiraniddo) that allows the deseriallization of a .NET payload and execution in memory. The original vector was documented on https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html.

By spawning the process AddInProcess.exe with arguments /guid:32a91b0f-30cd-4c75-be79-ccbd6345de99 and /pid:, the process will start a named pipe under \\.\pipe\32a91b0f-30cd-4c75-be79-ccbd6345de99 and will wait for a .NET Remoting object. If we generate a payload that has the appropiate packet bytes required to communicate with a .NET remoting listener we will be able to trigger the ActivitySurrogateSelector class from System.Workflow.ComponentModel. and gain code execution.

Originally, James Forshaw released a POC at https://github.com/tyranid/DeviceGuardBypasses/tree/master/CreateAddInIpcData. However this POC will fail on recent versions of Windows since Microsoft went ahead and patched the vulnerable System.Workflow.ComponentModel (https://github.com/microsoft/dotnet-framework-early-access/blob/master/release-notes/NET48/dotnet-48-changes.md).

Nick Landers (@monoxgas) however, identified a way to disable the check that Microsoft introduced and wrote a detailed article at https://www.netspi.com/blog/technical/adversary-simulation/re-animating-activitysurrogateselector/ . The bypass is documented at pwntester/ysoserial.net#41 .

Aladdin is a payload generation tool, which using the specific bypass as well as the necessary header bytes of the .NET remoting protocol is able to generate initial access payloads that abuse the AddInProcess as originally documented.

The provided templates are:

* HTA

* VBA

* JS

* CHM

Notes

In order for the attack to be successfull the .NET assembly must contain a single public class with an empty constructor to act as the entry point during deserialization. An example assembly has been included in the project.

public class EntryPoint {
    public EntryPoint() {
        MessageBox.Show("Hello");
    }
}

Usage

Usage:
  -w, --scriptType=VALUE     Set to js / hta / vba / chm.

  -o, --output=VALUE         The generated output, e.g: -o
                               C:\Users\Nettitude\Desktop\payload

  -a, --assembly=VALUE       Provided Assembly DLL, e.g: -a
                               C:\Users\Nettitude\Desktop\popcalc.dll

  -h, --help                 Help

OpSec

  • The user supplied .NET binary will be executed under the AddInProcess.exe that gets spawned from the HTA / JS payload. The spawning of the processes currently happens using the 9BA05972-F6A8-11CF-A442-00A0C90A8F39 COM object (https://dl.packetstormsecurity.net/papers/general/abusing-objects.pdf) which will launch the process as a child of Explorer.exe process.

  • The GUID supplied in the process parameters of AddInProcess.exe can be user controlled. At the moment the guid is hardcoded in the template and the code.

  • CHM executes the JScript through XSLT transformation

Defensive Considerations

  • Addinprocess.exe will always launch with /guid and /pid. Baseline your environment for legitimate uses - monitor the rest

Useful References:

* https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html

* https://www.netspi.com/blog/technical/adversary-simulation/re-animating-activitysurrogateselector/

Readme / Credits

Code is based on the following repos:

* https://github.com/tyranid/DeviceGuardBypasses/tree/master/CreateAddInIpcData

* https://github.com/pwntester/ysoserial.net

Shouts to:

  • @m0rv4i for helping with C# nuances
  • @ace0fspad3s for troubleshooting
  • @ Nettitude RT for being awesome

More Repositories

1

PoshC2

A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.
PowerShell
1,767
star
2

xss_payloads

Exploitation for XSS
PHP
697
star
3

PoshC2_Old

Powershell C2 Server and Implants
PowerShell
574
star
4

SharpSocks

Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
C#
472
star
5

SharpWSUS

C#
429
star
6

RunPE

C# Reflective loader for unmanaged binaries.
C#
416
star
7

SimplePELoader

In-Memory PE Loader
C++
366
star
8

Prowl

Python
275
star
9

ETWHash

C# POC to extract NetNTLMv1/v2 hashes from ETW provider
C#
248
star
10

MalSCCM

C#
241
star
11

scrounger

Mobile application testing toolkit
Python
237
star
12

ShellcodeMutator

Python
232
star
13

Tartarus-TpAllocInject

C++
172
star
14

RunOF

C#
138
star
15

Invoke-PowerThIEf

The PowerThIEf, an Internet Explorer Post Exploitation library
PowerShell
130
star
16

DLLInjection

DLL Injection Library & Tools
C++
70
star
17

SharpConflux

C#
63
star
18

zeropress

A dumb script for finding dumb coding errors in WordPress plugins
Python
55
star
19

CVE-2024-20356

This is a proof of concept for CVE-2024-20356, a Command Injection vulnerability in Cisco's CIMC.
Python
47
star
20

CVE-2024-25153

Proof-of-concept exploit for CVE-2024-25153.
Python
43
star
21

defensive-scripts

Defence Against the Dark Arts
34
star
22

InlineFunctionHooking

Windows Inline function hooking library targeted at MSVC
C
28
star
23

pwnlyoffice

Exploit ONLYOFFICE Implementations
JavaScript
24
star
24

PoshC2_IOCs

A list of IOCs applicable to PoshC2
YARA
23
star
25

SyscallsExtractor

C#
23
star
26

logparser

SQL scripts for querying event logs
21
star
27

yasha

Python
18
star
28

metasploit-modules

Modules created by Nettitude for Metasploit
Ruby
12
star
29

hyperv-driver-thread-detection-poc

hyperv-driver-thread-detection-poc
C#
11
star
30

PoshC2_Shellcode

Supporting projects for PoshC2
C
11
star
31

CVE-2022-23253-PoC

CVE-2022-23253 PoC
Python
5
star
32

PoshC2_Linux_Implant

C
4
star
33

PBind

PBind payloads for PoshC2
C#
2
star
34

secure-development-training

PHP
2
star
35

PoshC2_Core

C#
1
star
36

FComm

FComm payloads for PoshC2
C#
1
star