AppLocker Bypass — presentationhost.exe
Presentationhost.exe appears on several AppLocker whitelist bypass lists (e.g. api0cradl and milkdevil) but I wasn’t able to find any good instructions on how to use it so I decided to figure it out myself. This blog post shares the results of that research by presenting a proof of concept application that will run PowerShell commands using the same c# code I used for my .hta powershell runner.
Presentationhost.exe is a built in Windows executable that is used to run XAML Browser Applications (i.e. .xbap files). Opening a .xbap file appears to launch the application inside Internet Explorer but the code is actually run in another process (Presentationhost.exe) usually in a sandbox to protect the user from malicious code. If you are familiar with Java Web Start files (.jnlp) xpabs behave similarly except that Internet Explorer launches Presentationhost.exe instead of Java.exe and they are written in c# instead of Java.
Note that xbap’s are able to request different privileged levels. To perform potentially malicious actions, the application has to request unrestricted permissions which can be done when opening an xbap from a file location (i.e. the local file system or a network share). Attempting to open an xbap over HTTP or FTP will fail if the application requests too many permissions. You can read more about the security model here.
To create an xbap application either clone my POC https://github.com/jpginc/xbapAppWhitelistBypassPOC OR follow these step by step instructions on how to build your own POC:
- Downloaded visual studio 2010 professional service pack 1 trial (you can also use the latest visual studio with the ‘.net desktop development’ workload installed but it takes a lot longer to download and setup).
- Open visual studio and selected “New, Project”.
- In the new project screen, search for “WPF Browser Application” and created a new Visual C# app.
Once the new project is initialised, you will see a screen like this:
If you hit run, your default browser will open the .xbap file. You probably aren’t using Internet Explorer as your default browser so to actually run the xbap, copy the file:/// URL from your default browser into ie and if everything works you should see a warning message like this:
After clicking run a blank page will appear. This is your application congratulations! The next step is to make it do something useful. First lets create a simple UI that lets you enter commands on the left and outputs the results on the right. We will also add a button with a click event.
If you try to run the application now you will get an error that there is no definition for “Button_Click”. To define the button click method open Page1.xaml.cs. We will use C#’s Pipeline class to run our PowerShell commands (interesting side note, running PowerShell commands this way bypasses constrained language mode). Below is the code that will run some PowerShell commands in a Pipeline and write the output to the screen.
To get the application to compile you will need to reference the System.Management.Automation dll by right-clicking the “References” folder in the “Solution Explorer” and selecting “Add Reference”. Then browse to:
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
With the reference added, you should be able to compile the project (you may need to change the namespace if you didn’t name the project ‘powershell’). If you run the xbap now it should open successfully but when you try to run a command you will get the following error:
This error is the Presentationhost’s sandbox telling you that the application has tried to do something above it’s privilege level, you can read more about xbap security here. To have the xbap request full trust permissions (i.e. non-sand-boxed access to the OS) go Project -> Properties -> Security and select the “This is a full trust application” radio box.
Run the application and should now be able to run PowerShell commands!
The compiled application can be found in the \bin\Debug folder of your visual studio project. You should have a couple of files similar to:
- powershell.exe
- powershell.exe.manifest
- powershell.pdb
- powershell.xbap
To bypass default AppLocker rules copy these files to the locked down computer and double click the .xbap file. If you downloaded the file from a website it won’t run because it contains the Mark of the Web. To remove the Mark of the Web right click the file and click the “Unblock” checkbox (or you can use PowerShell).
If you don’t want to copy the files to the locked down computer, you can run presentation host from the command line using a file:/// URI or UNC path e.g.
presentationhost.exe file:///ipAddressOrHostName/powershell.xbapThat’s all there is to it. Here is the source code to the PowerShell xbap https://github.com/jpginc/xbapAppWhitelistBypassPOC/tree/master. I included the compiled files in the repo in case you just want to run PowerShell in a locked down environment you can grab the files here https://github.com/jpginc/xbapAppWhitelistBypassPOC/tree/master/powershell/bin/Debug
I’m not sure that there are many occasions where I would use this AppLocker bypass over other whitelist bypass (e.g. my .hta PowerSehll runner). However, as PowerShell logging becomes better (and start to block some of my favourite pentesting tools), the ability to develop and run more complicated C# programs on locked down PCs is interesting. For example, BloodHound’s data collector is now a PowerShell script that loads a pre-compiled C# binary into memory. This feature is blocked when Constrained Language Mode is enabled. It wouldn’t be too difficult to compile SharpHound (the data collector) into an xbap to bypass application whitelisting and PowerShell security altogether. A Powershell Empire xbap agent would be useful too (I have added these two projects to my to-do list).
I hope that this helps you all in your pen testing life. Keep an eye on my twitter for more fun obscure stuff @JPG1nc
