Barebones Python Injection

We love powershell. It’s awesome for payload delivery for a myriad of reasons; trusted execution, AV-bypassing abilities, reputation filter bypass, full .NET capabilities, etc. However, on assessments we still sometimes encounter machines without powershell installed or enabled. Wouldn’t it be nice to still have a method to invoke payloads without powershell that still granted trusted execution and the other nice features we get with that approach?

The Barebones Python injector released with Veil-Catapult addresses this problem. If you don’t have powershell access on a system for some reason, don’t really like dropping malicious EXEs to disk, or nasty AV white listing/reputation filers are causing you pain, this method provides you an alternative option for owning boxes with a trusted execution model.

To execute, a zipped ‘barebones’ Python environment is first uploaded to the victim machine’s temp directory using Impacket, along with a stand alone 7zip binary. This environment was stripped by hand to only include the bare minimum libraries needed in order to invoke shellcode utilizing Python cytpes. A pth-wmis or pth-winexe command is used to unzip the environment, and a second command will invoke the extracted Python binary with the “-c” option. The passed string comprises a minimum Python program that will base64 decode a shellcode string and invoke it in memory:

python.exe -c "from ctypes import *; a=’u/Fp...’.decode(‘base_64’);cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()"

The end result? The only files that touch disk are known/trusted Python libraries and interpreter, and your Veil-Evasion generated shellcode is invoked without a malicious executable potentially being snarfed up by AV.


Leave a Reply