Sunday, January 25, 2015

Application Call to Missing DLL can lead to Meterpreter Shell

This is a proof-of-concept to demonstrate how to gain a meterpreter shell through a call by an application to a dll that does not exist can be replaced by a Meterpreter DLL.  Granted I am using an Administrator account to copy the file to it's final location but this could be done by an exploit, through poorly set permissions, incorrect access control, or through privilege escalation.

1. I generated a Meterpreter DLL and saved it temporarily as meterpreter.dll:

2. Next I ran ProcMon.exe on a Windows 7 SP1 virtual machine.  I left it running for a while and then saved the logfile to a csv file because I was not sure what I was looking for in the output.

3. After working with the log file I found a command that would return dll files that were being called by a process that were not found:

cat Logfile.CSV | grep -i "name not found" | grep -i "createfile" | grep -v -i "procmon.exe" | grep -e "\.dll"

4. With running the command the following results came out:

5. After some trial and error I found the following dll that was run by the explorer.exe process and was not found, "C:\Windows\System32\wbem\RpcRtRemote.dll".  Again this is a proof-of-concept showing that if a path was not protected or had incorrect permissions established if a dll was called and was missing it could be substituted for the meterpreter dll.  I substituted in the meterpreter.dll with the name found.

6. Now to get explorer.exe to call the RpcRtRemote.dll file I found that all I had to do is launch procmon.exe after I had previously closed it.  Then the staged Meterpreter shell loaded.

7. This could be another way that malware will establish persistence on a system.

No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...