Weaponizing Installutil whitelist bypass
In this post, I’ll be showing how to weaponize installutil whitelist bypass to get a reverse shell regardless of the CLR version being used by the victim.
Background
I was looking into whitelist bypass methods and in no time stumbled upon the work of Casey Smith. If you’re not familiar with how the bypass works, read this . When I tried replicating Installutil bypass method to execute shellcode, I got an error of System.AccessViolationException.
After reading a couple of blogs, I compared my environment with those who had replicated this. I noticed that to execute shellcode without having this exception, it has to be compiled with CLRv2.0.5 or less i.e the csc.exe binary used to compile the csharp code should be in C:\Windows\Microsoft.NET\v2.0.5 whereas I had been compiling it with v4.0.3xxx . Clearly, CLRv4 didn’t like when protected memory was accessed.
Looking at the ways to handle the exception at stackoverflow, I realized the best way to deal with the problem is to avoid it (Right?). In other words, there’s an easier way to get reverse shell.
Scenario
Before I reveal how I came around this, it is essential to ask:
Where could this be useful?
Say suppose you have gained physical access to a system that has application whitelist enabled. Also, to make things interesting let’s say cmd.exe and powershell.exe are blocked.
Sounds like a nightmare?
Solution
It is essential to know that powershell.exe is just an interface and doesn’t actually do the hard work. Behind the scenes, all the work is done by System.Management.Automation.dll . Using csharp, I have weaponized the template by Casey Smith to run powershell code to get a reverse shell using powershell instead of shellcode. You can find the code here . Here’s a snippet of it:
The powershell.ps1 above contains the one-liner to get a reverse shell written by Riyaz Walikar.
As an attacker, you can host the csharp file and the powershell code on a webserver you control. You can open the browser and download the csharp file. You can now compile the csharp file from the runas prompt(Win+r) by providing the absolute path to the csc.exe binary and the csharp file.
The executable created cannot be run directly due to application whitelist controls put in place.
From now on, there are two ways you can leverage installutil.exe .
- Use runas prompt
- Create a shortcut of instalutil.exe
Runas prompt can be used in the same way as we did previously.
If you’re feeling a bit ambitious, then the second method could give you persistence as well. How?
After creating the shortcut on Desktop, you can hide shortcut icon and set an hotkey(probably F5) to trigger it. For more details, you can refer this article. Also, hide the executable. Each time, the system boots up and someone hits F5, our malicious code runs and we get a reverse shell back.
Conclusion
I find it extremely refreshing to use existing techniques as a solution to problems I’ve never encountered before. Anyway, if you have any queries, feel free to comment below.
