Git
/
mgeeky-Penetration-Testing-Tools
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mgeeky-Penetration-Testing-.../file-formats
History
Mariusz B. / mgeeky 77c04dc99a Updated PackMyPayload and rogue-dot-net 2023-05-24 17:16:11 +02:00
..
PackMyPayload@f316e62bcb Updated PackMyPayload and rogue-dot-net 2023-05-24 17:16:11 +02:00
msi-shenanigans@1d5fdd5787 Added msi-shenaningans 2022-12-22 10:20:48 +01:00
README.md Added msi-shenaningans 2022-12-22 10:22:20 +01:00
tamperUpx.py updated tamperUpx.py 2022-08-26 10:26:22 +02:00
zipcrack.rb First 2018-02-02 22:22:43 +01:00

README.md

File-Formats Penetration Testing related scripts, tools and Cheatsheets

  • msi-shenanigans - Proof of Concept code and samples presenting emerging threat of MSI installer files. Based on my MSI Shenanignas 1 - Offensive Capabilities Overview research conducted.

  • PackMyPayload - A script that takes file/directory on input and creates a new (or backdoors existing) container file with input ones embedded. Some of the formats (ISO, IMG, VHD, VHDX) could be used to bypass Mark-of-the-Web (MOTW) file taint flag. Supported formats:

    1. ZIP (+password)
    2. 7zip (+password)
    3. PDF (+password)
    4. ISO
    5. IMG
    6. CAB
    7. VHD
    8. VHDX

  • tamperUpx.py - A small utility that corrupts UPX-packed executables, making them much harder to be decompressed & restored.

c:\>py -3 tamperUpx.py foo-upx.exe foo-upx-corrupted.exe

    :: tamperUpx - a small utility that corrupts UPX-packed executables,
    making them much harder to be decompressed & restored.

    Mariusz Banach / mgeeky, '21

Step 1. Renaming UPX sections...
        Renamed UPX section (UPX0    ) => (.text)
        Renamed UPX section (UPX1    ) => (.data)

Step 2. Removing obvious indicators...
        Removed "UPX!" (UPX_MAGIC_LE32) magic value...
        Removed "3.96" indicator...

Step 3. Corrupting PackHeader...
        Overwriting metadata (version=13, format=36, method=2, level=10)...
        Corrupting stored lengths and sizes:
                - uncompressed_adler (u_adler): (2044521623 / 0x79dcec97) => (0)
                - compressed_adler (c_adler): (2542804071 / 0x97901c67) => (0)
                - uncompressed_len (u_len): (1802399544 / 0x6b6e6f38) => (0)
                - compressed_len (c_len): (2653142051 / 0x9e23bc23) => (0)
                - original file size: (529611336 / 0x1f913a48) => (0)
                - filter id: (73 / 0x49) => (0)
                - filter cto: (5 / 0x5) => (0)
                - unused: (0 / 0x0) => (0)
                - header checksum: (197 / 0xc5) => (0)

[+] UPX-protected executable corrupted: foo-upx-corrupted.exe
[+] Success. UPX should have some issues decompressing output artifact now.
  • zipcrack.rb - Simple multi-threaded ZIP cracker. (gist)