Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add evasion module applocker_evasion_msbuild #12130

Merged
merged 4 commits into from Jul 31, 2019

Conversation

@NickTyrer
Copy link
Contributor

commented Jul 26, 2019

Intro

This module is designed to evade solutions such as software restriction policies and Applocker.
The main vector for this bypass is to use the trusted binary MSBuild.exe in executing user supplied code.

This pull request is in reference to the previous pull request #8783.

Vulnerable Application

This evasion will work on all versions of Windows that include .net versions 3.5 or greater (note: ensure the selected payload matches the target os architecture).

Verification Steps

  1. Enable Applocker and enable executable rules
  2. Verify a standard .exe will not run from the users desktop
  3. Do use evasion/windows/applocker_evasion_msbuild
  4. Do exploit
  5. Follow the onscreen instructions by copying the created file to the targets desktop
  6. Verify that code execution is achieved.

@NickTyrer NickTyrer changed the title add evasion module applocker_evasion_msbuild Add evasion module applocker_evasion_msbuild Jul 26, 2019

@wchen-r7 wchen-r7 self-assigned this Jul 29, 2019

@wchen-r7 wchen-r7 removed the needs-docs label Jul 29, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 29, 2019

I'm currently testing this out. Thanks!

@NickTyrer

This comment has been minimized.

Copy link
Contributor Author

commented Jul 29, 2019

@wchen-r7 sorry just pushed one final commit to fix an issue I had overlooked

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 30, 2019

No problem. Thanks for the heads up.

@wchen-r7 wchen-r7 merged commit 4f7e9bd into rapid7:master Jul 31, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 31, 2019

Really enjoyed playing with the module. Thanks for sharing.

wchen-r7 added a commit that referenced this pull request Jul 31, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 31, 2019

Release Notes

The applocker_evasion_msbuild module has been added to the framework. It is designed to evade solutions such as software restriction policies and Applocker. The main vector for this bypass is to use the trusted binary MSBuild.exe in executing user supplied code.

msjenkins-r7 added a commit that referenced this pull request Aug 1, 2019

@jmartin-r7 jmartin-r7 added the msf5 label Aug 1, 2019

jmartin-r7 added a commit that referenced this pull request Aug 1, 2019

@tdoan-r7 tdoan-r7 added the rn-modules label Aug 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.