ZipExec: PoC is not working on my side
Hello,
I just tested your PoC, and I’m probably doing it wrong, actually I compiled it on debian buster, and I use this command line :
./ZipExec -I /home/user/artifact.exe -O /home/user/loader.js -sandbox
And I run the loader.js on a windows 10 virtual machine but nothing happens, I edited the path in the .js file to avoid a weird linux path in it but it’s the same result.
If I check in the %temp% directory, I don’t have any zip file, so I tried to execute it with cscript, and I don’t have any exceptions.
I’m interested if you have an idea.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 16 (5 by maintainers)
@adelicato @Sh0ckFR I see a bug with the zip function handling full and relative paths. I am working to address it right now. If you use the current folder where the zipexec binary is living i.ie -I binary.exe, -o output.js, rather than
/home/user/...it should be a quick workaround while I fix this. @Acey34 Once I address this bug I will provide something along those lines.That bug should be fixed. As for the Defender comment, @Sh0ckFR Defender is probably catching it at runtime. This technique helps avoid everything but that. When a payload runs it acts the same way as it would if you just double-clicked it and ran. This is simply a unique way of delivering a binary-based payload to an endpoint and protecting it on disk.
@Acey34 I am still tweaking things to make sure all potential inputted paths work. I will add something demo-wise shortly afterward.
We would appreciate if @Tylous can provide with a short video of the PoC