During last weekend I was looking for some possible scenario(s) for DLL injection case I wanted to solve. Below few deatils about it...
Idea was simple:
- use Powershell to get permissions of the target-app directory
- find interesting settings
- replace DLL for our 0wn
(You can create DLL for your own but I used updated venome script to generate it.)
For the purpose of this post I used 7-zip as an example. Open your location of installed (in "Program Files") 7-zip and find the file 7z.dll. Default settings of the file you'll see below:
We need to change it to add the possibility of modifying, see below:
Now we are ready.
To check current permissions, we will use icacls again:
As you can see now we have a new line in the output: "BUILTIN\Users:(M)". This means that our user can now modify the file. We can also use powershell to do that:
Let's try something more (aka 'grep in powershell' ;)):
So far, so good. Now it's good time to use venome.sh and generate a DLL to replace:
Cool. When you'll copy h00ker.dll to the Windows VM you can now set up a meterpreter in other window:
All is prepared to copy our new DLL to the location of the file we can modify, so:
Time to check the new behaviour of 7-zip (right-click -> 'open archive' on any file):
...and on the other window you should see something like this:
That's all. :)
If you're looking for more examples of apps vulnerable to DLL injection you can find them here or here.
In case of any questions/comments - feel free to ping me at twitter or leave a note below.
Enjoy your weekend!