sobota, 8 września 2018

DLL Injection - part 1

During last weekend I was looking for some possible scenario(s) for DLL injection case I wanted to solve. Below few deatils about it...
Idea was simple:
- use Powershell to get permissions of the target-app directory
- find interesting settings
- replace DLL for our 0wn

(You can create DLL for your own but I used updated venome script to generate it.)

For the purpose of this post I used 7-zip as an example. Open your location of installed (in "Program Files") 7-zip and find the file 7z.dll. Default settings of the file you'll see below:


We need to change it to add the possibility of modifying, see below:


Now we are ready.

To check current permissions, we will use icacls again:


As you can see now we have a new line in the output: "BUILTIN\Users:(M)". This means that our user can now modify the file. We can also use powershell to do that:


Let's try something more (aka 'grep in powershell' ;)):


So far, so good. Now it's good time to use venome.sh and generate a DLL to replace:


Cool. When you'll copy h00ker.dll to the Windows VM you can now set up a meterpreter in other window:


 All is prepared to copy our new DLL to the location of the file we can modify, so:


Time to check the new behaviour of 7-zip (right-click -> 'open archive' on any file):


...and on the other window you should see something like this:


That's all. :)

If you're looking for more examples of apps vulnerable to DLL injection you can find them here or here.

In case of any questions/comments - feel free to ping me at twitter or leave a note below.

Enjoy your weekend!

Cheers
o/



P.S.

Brak komentarzy:

Prześlij komentarz