ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

Related tags

Security ZipExec
Overview

ZipExec

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded into a string that is rebuilt on disk. This encoded string is then loaded into a JScript file that when executed, would rebuild the password-protected zip file on disk and execute it. This is done programmatically by using COM objects to access the GUI-based functions in Windows via the generated JScript loader, executing the loader inside the password-protected zip without having to unzip it first. By password protecting the zip file, it protects the binary from EDRs and disk-based or anti-malware scanning mechanisms.

Installation

The first step as always is to clone the repo. Before you compile ZipExec you'll need to install the dependencies. To install them, run following commands:

go get github.com/yeka/zip

Then build it

go build ZipExec.go

or

go get github.com/Tylous/ZipExec

Help

./ZipExec -h

__________.__      ___________                     
\____    /|__|_____\_   _____/__  ___ ____   ____  
  /     / |  \____ \|    __)_\  \/  // __ \_/ ___\ 
 /     /_ |  |  |_> >        \>    <\  ___/\  \___ 
/_______ \|__|   __/_______  /__/\_ \\___  >\___  >
        \/   |__|          \/      \/    \/     \/ 
                (@Tyl0us)

Usage of ./ZipExec:
  -I string
        Path to the file containing binary to zip.
  -O string
        Name of output file (e.g. loader.js)
  -sandbox
        Enables sandbox evasion using IsDomainedJoined.
Comments
  • PoC is not working on my side

    PoC is not working on my side

    Hello,

    I just tested your PoC, and I'm probably doing it wrong, actually I compiled it on debian buster, and I use this command line :

    ./ZipExec -I /home/user/artifact.exe -O /home/user/loader.js -sandbox
    

    And I run the loader.js on a windows 10 virtual machine but nothing happens, I edited the path in the .js file to avoid a weird linux path in it but it's the same result.

    If I check in the %temp% directory, I don't have any zip file, so I tried to execute it with cscript, and I don't have any exceptions.

    I'm interested if you have an idea.

    opened by Sh0ckFR 16
  • Loader.js Problem

    Loader.js Problem

    Hi,

    Sometimes some loader.js's cannot unzip the file, while loader.js is executed via cscript.exe. However, in this case, I can see the zip file under the %TMP% directory. For another case, I can confirm that loader.js is working in my computer properly, but it doesn't work for another computer with the same build number and OS. In the second case, I am getting the same error. The screenshot of the given error can be seen below:

    image

    opened by frkngksl 3
  • No se visualiza el archivo loader.js

    No se visualiza el archivo loader.js

    Se ejecuta la siguiente instrucción ZipExec -I shell.exe -O loader.js -sandbox y lo único que devuelve es shell.rar El archivo loader.js no se genera, y me surge una duda si se dice que ejecuta binarios sin descomprimir. Cuál es la instrucción?

    Gracias de antemano, parece interesante, sólo que no hay mucha documentación al respecto.

    opened by jccarideveloper 2
  • Temp1_xxxx.zip ?

    Temp1_xxxx.zip ?

    It looks like it extracts the zipfile into %TEMP%\Temp1_xxxx.zip, (where xxxx is the zipfile name) then runs it from there, then deletes it. Do you know if there is any way to change the destination of this? I looked and couldn't find a way to do this but wondering if you knew anything off the top of your head.

    Side note, thanks for publishing this tool, it's awesome!

    EDIT this looks like the same behavior as executing from the windows zip GUI, disregard.

    opened by funnybananas 0
  • update installation method

    update installation method

    Starting in Go 1.17, installing executables with go get is deprecated. go install may be used instead. ref: https://golang.org/doc/go-get-install-deprecation

    opened by zc2638 0
  • Don't abuse PRNG -> fix identifier generation when building on Windows

    Don't abuse PRNG -> fix identifier generation when building on Windows

    Pseudorandom number generators need to be initialized only once.

    Using the system time for this is Generally Fine, but re-initializing the PRNG in a tight loop every time a random number is needed significantly raises the odds that the same number sequence (or even the same number) is returned every time.

    Chances for this to happen on Windows are apparently much higher than on Linux. Not sure why this is the case, my best guess is that the clock used for Go's `time.Now()´ runs with coarser granularity.

    opened by hillu 2
Owner
Tylous
Tylous
Go poc - Golang proof of concept

quickstart tar -zxvf go1.17.6.linux-amd64.tar.gz -C ~/tools/ echo "export PATH=

ileson 0 Jan 8, 2022
Unpacking tool for the zipExec Crypter

zipExec_unpack A simple unpacking tool for the zipExec Crypter by Tylous. Since this Crypter will likely be used for malicious purposes sooner rather

Marius Genheimer 14 Nov 16, 2022
Proof-of-Concept tool for CVE-2021-29156, an LDAP injection vulnerability in ForgeRock OpenAM v13.0.0.

CVE-2021-29156 Proof-of-Concept (c) 2021 GuidePoint Security Charlton Trezevant [email protected] Background Today GuidePoint

GuidePoint Security, LLC 2 Apr 13, 2022
An awesome reverse engine for xray poc. | 一个自动化根据 xray poc 生成对应 server 的工具

在线体验 漏洞报告 Yarx 是什么 Yarx 来自于 x-r-a-y 的反向拼写,它能够根据 xray 的 yaml poc 规则全自动的生成一个满足规则要求的 Server,使用 xray 扫描该 Server 将会扫描出对应的漏洞。它的核心工作原理如下: 它的主要特性有: 支持 status、

koalr 270 Nov 16, 2022
Poc-cve-2021-4034 - PoC for CVE-2021-4034 dubbed pwnkit

poc-cve-2021-4034 PoC for CVE-2021-4034 dubbed pwnkit Compile exploit.go go buil

Daniele Linguaglossa 96 Nov 9, 2022
Proof of concept microservices webportal and GRPC clients w/ multiDB support

Proof of concept microservices Webportal using Hero templates and websockets GRP

null 1 Dec 17, 2021
Ssh-lxd - A proof of concept for an ssh server that spawns a bash session inside a LXD container

SSH LXD A proof of concept for an ssh server that spawns a bash session inside a

Henning Dahlheim 2 Aug 16, 2022
erchive is a go program that compresses and encrypts files and entire directories into .zep files (encrypted zip files).

erchive/zep erchive is a go program that compresses and encrypts files and entire directories into .zep files (encrypted zip files). it compresses usi

Christopher Walters 1 May 16, 2022
Curl & exec binary file in one step. Also a kind of stealth dropper.

curlNexec ?? Certainly useful , mainly for fun, rougly inspired by 0x00 article Short story curlNexec enable us to execute a remote binary on a local

Ariary 121 Nov 15, 2022
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptograp

American Express 516 Nov 20, 2022
一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档

Welcome to xray ?? 一款功能强大的安全评估工具 ✨ Demo ?? 使用文档 ⬇️ 下载地址 注意:xray 不开源,直接下载构建的二进制文件即可,仓库内主要为社区贡献的 poc,每次 xray 发布将自动打包。 ?? 快速使用 在使用之前,请务必阅读并同意 License 文件中

Chaitin Tech 7.6k Nov 25, 2022
PoC for running AWS services(kinesis, dynamodb, lambdas) locally with Localstack

hotdog-localstack-PoC PoC for running AWS services(kinesis, dynamodb, lambdas) locally with Localstack alias awslocal="aws --endpoint-url=http://local

Talha Altınel 38 Oct 4, 2022
An improvement on the PoC for the privacy-preserving contact discovery scheme I implemented as part of my UCL masters degree

Privacy-Preserving Contact Discovery / ARKE - PoC This is an improved version of the work I submitted as part of my masters degree dissertation at UCL

Nicolas Mohnblatt 0 Dec 18, 2021
PoC for CVE-2015-1635 / MS15-034 - HTTP.sys Allows Remote Code Execution / Check & DOS

CVE-2015-1635 PoC for CVE-2015-1635 / MS15-034 - HTTP.sys Allows Remote Code Execution / Check & DOS ./MS15-034 <URL> <RESOURCE> <FLAG [0 or 18]> Note

Nikola Kipariz Stamov 0 Nov 3, 2021
A CVE-2021-22205 Gitlab RCE POC written in Golang

Golang-CVE-2021-22205-POC A bare bones CVE-2021-22205 Gitlab RCE POC written in Golang which affects Gitlab CE/EE < 13.10.3 Gitlab CE/EE < 13.9.6 Gitl

Matt 3 Jul 4, 2022
PoC for CVE-2021-41277

CVE-2021-41277 PoC Metabase is an open source data analytics platform. Local File Inclusion issue has been discovered in some versions of metabase. He

Burak Tahtacı 7 Dec 3, 2021
Gocrypter - Crypter em golang (POC)

Gocrypter Crypter em golang (POC) Uso ./gocrypter <executável> Estágios do crypter Comprimi o arquivo malicioso usando a ZLIB Criptografa os bytes res

Pablo Henrique 1 Jan 2, 2022