Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What happens when powershell script encounters EOF while a quote is open?

Tags:

powershell

Unicorn.py generates a string that looks like

powershell -flag1 -flag2 "something " obfuscation; powershell "more gibbrish

Interestingly, if this command is saved in a file filename.txt Windows executes it before opening the file in notepad.txt (by which time the file is empty).

Why is the file executed despite the extension? What does the script do when it encounters EOF after odd number of quotation marks?


Edited:
Unicorn (https://github.com/trustedsec/unicorn) is a script that "enables privilege elevation and arbitrary code execution". If you know what it means. Of course I did NOT put the actual string, just the key features.

like image 902
olki XXI Avatar asked Aug 22 '18 00:08

olki XXI


People also ask

How do I stop a PowerShell script from the first error?

You should be able to accomplish this by using the statement $ErrorActionPreference = "Stop" at the beginning of your scripts. The default setting of $ErrorActionPreference is Continue , which is why you are seeing your scripts keep going after errors occur.

How do you end a PowerShell script?

Let's practice! Open a PowerShell console session, type exit , and press the Enter key. The PowerShell console will immediately close. This keyword can also exit a script rather than the console session.

What does @{ mean in PowerShell?

In PowerShell V2, @ is also the Splat operator. PS> # First use it to create a hashtable of parameters: PS> $params = @{path = "c:\temp"; Recurse= $true} PS> # Then use it to SPLAT the parameters - which is to say to expand a hash table PS> # into a set of command line parameters.

How do you escape a quote from a string in PowerShell?

Finally, if your PowerShell strings are quoted with double quotes, then any double quote characters in the string must be escaped with the backtick "`". Alternatively, the embedded double quote characters can be doubled (replace any embedded " characters with "").


2 Answers

Purely out of IT security interest.

I think that if you read the manual in unicorn.py, at absolutely no time does it say that the script should be left in the txt file.

The PowerShell script is written inside the txt file and called the "payload" (very hacker like). What is left for you is always how to execute this code on the victim's computer.

The manual proposes Word code injection, simply executing the PowerShell in cmd (I quote "Next simply copy the powershell command to something you have the ability for remote command execution."), Excel Auto_Open attack, and so on.

If reading the manual is too much there is always a video. The only time the "hacker" uses a notepad like is on his linux operated system (how ironic)… I watched it because I love this Papa Roach music Last Resort...

For those who are concerned about IT security I recommend this article dosfuscation. This is really instructive about how you have to be extra careful when receiving mails, outside document,... and how humanity can waste so much time spying, deceiving, inventing new twisted strategies... Aren't we great !

Windows like any other system has many system flaw but opening notepad is not one of them. Unless your notepad has been replaced by a hacker using unicorn…

like image 191
PilouPili Avatar answered Nov 10 '22 01:11

PilouPili


There is an even number of brackets in the obfuscated script. Did you mix up '' with "?

Empty txt file means that you've sent the attack.txt over network to a drive accessible by updated antivirus and antivirus quarantined/deleted file contents. Since you didn't know about this interaction with antivirus your environment is NOT secure. Which means you might have other malware from previous test lurking on your "clean" network.

like image 40
Stepan Avatar answered Nov 09 '22 23:11

Stepan