sobota, 8 września 2018

DLL Injection - part 1

During last weekend I was looking for some possible scenario(s) for DLL injection case I wanted to solve. Below few deatils about it...
Idea was simple:
- use Powershell to get permissions of the target-app directory
- find interesting settings
- replace DLL for our 0wn

(You can create DLL for your own but I used updated venome script to generate it.)

For the purpose of this post I used 7-zip as an example. Open your location of installed (in "Program Files") 7-zip and find the file 7z.dll. Default settings of the file you'll see below:

We need to change it to add the possibility of modifying, see below:

Now we are ready.

To check current permissions, we will use icacls again:

As you can see now we have a new line in the output: "BUILTIN\Users:(M)". This means that our user can now modify the file. We can also use powershell to do that:

Let's try something more (aka 'grep in powershell' ;)):

So far, so good. Now it's good time to use and generate a DLL to replace:

Cool. When you'll copy h00ker.dll to the Windows VM you can now set up a meterpreter in other window:

 All is prepared to copy our new DLL to the location of the file we can modify, so:

Time to check the new behaviour of 7-zip (right-click -> 'open archive' on any file):

...and on the other window you should see something like this:

That's all. :)

If you're looking for more examples of apps vulnerable to DLL injection you can find them here or here.

In case of any questions/comments - feel free to ping me at twitter or leave a note below.

Enjoy your weekend!



Brak komentarzy:

Prześlij komentarz