WePWNise

WePWNise is a proof-of-concept python script that generates architecture independent VBA code to be used in Office documents or templates. It aims in introducing a certain level of automation and intelligence to dynamically deliver its payload, circumventing defences such as application control and anti-exploitation mitigations that may exist on a target system.

It collects information through enumeration of relevant parts of the Registry where various policy security settings are stored, and identifies suitable binaries which are safe to inject code into. WePWNise integrates with existing frameworks (e.g. Metasploit, Cobalt Strike) as well as with custom payloads in raw format.

Depending on the applied security configuration, the tool currently circumvents Software Restriction Policies (SRPs) and Enhanced Mitigation Experience Toolkit (EMET) protected binaries. Future areas of development include the extension of the tool to support more endpoint security technologies (e.g. AppLocker, Firewalls, AVs etc), as well as obfuscation and implant safety enhancements.

Limitations

wePWNise currently supports SRPs and EMET. The resulting code is not obfuscated, making detection easy and it also does not employ any implant safety attributes, such as those MWR Labs has previously discussed.

Future

wePWNise could be extended to include more technologies and functionality in its decision logic. Examples of such extensions include:

  1. Application control technologies such as AppLocker or other 3rd party solutions
  2. Endpoint firewall excluded paths or binaries
  3. Anti-Virus excluded paths or binaries
  4. Safer implant generation
  5. Code obfuscation

The source code of the tool is available on Github.

Credits

This tool was originally developed by Vincent Yiu (@vysecurity).