Phishing

A Nice Day Phishing : Exploring Portable Python For Covert Execution

Scripting Interpreters are agreat method to achieve Command or Shellcode Execution, but one of many problems is that they:

  • Are not Native to Windows
  • Not always easy to use
  • Limited to Command or Shellcode execution, some have both!!
  • We requiere these to not be installed on the Users workstation

Python

Python is a strong language to demonstrate the capabilities of these interpreters the following screenshot demonstrates how just printing out STRINGS in their language will not get flagged, it seems that this behavior is caused because AMSI has a better grasp on Windows Native Files.

To make python feasable to our needs we have to consider this:

  • Size
  • Modules
  • Version

We encounter the issue that some Modules are missing when trying to go beyond to executing Win32 apis now the challenge is to:

  • Compile a portable version with the needed modules

Now with some debugging and lots of banging the portable version of pytohn works correctly and the modules that I needed were in the binary

With this fully functional we can utilize the portable version of python, a loader and call our payload, since the files and binary won’t run our files via double-click we need to use a parent program that will call these, and a great alternative is LNK files

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

2 hours ago

MODeflattener – Miasm’s OLLVM Deflattener

MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…

2 hours ago

My Awesome List : Tools And Their Functions

"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…

2 hours ago

Chrome Browser Exploitation, Part 3 : Analyzing And Exploiting CVE-2018-17463

CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…

2 hours ago

Chrome Browser Exploitation, Part 1 : Introduction To V8 And JavaScript Internals

The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…

3 hours ago

Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…

5 hours ago