You are browsing the archive for Living off the land.

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 6

March 25, 2018 in - Pass-Thru Command Execution, Anti-*, Living off the land

In my recent post I documented how you can drop your own wmplayer.exe and force it to be loaded via dvdplay.exe. Here, I will show one of many DLLs that we can force to execute a specifically-named executable – mstran40.exe.

The msrepl40.dll’s internal name is ‘Microsoft Replication Library’ – as far as I can guess it is used by the Microsoft database engine – well, at least it exports a number of database-related functions so it must be somehow related. It doesn’t matter too much.

We are going to use one of the exported functions (#2091) that is kind enough to run any executable that is named mstran40.exe – provided a specific registry key is set. The internal name of the aforementioned function #2091 is JetTrClientInit. The mstran40.exe doesn’t exist on Windows 7 and XP, so while attempting to execute it system will search the PATH directories and since it won’t find it it will run it from a current directory. The trick doesn’t work on Win 10 :(.

The Registry key in question is this:

  • HKLM\SOFTWARE\Microsoft\Jet\4.0\Transporter\TransporterId=GUID

where GUID can be simply this:

  • {00000000-0000-0000-0000-000000000000}

It is required so that the function IIDFromString can succeed in converting it into a proper GUID. We are just providing the conditions for the JetTrClientInit function not to exit prematurely.

See attached animation to see how it works in practice:

Here’s a list of commands:

reg add HKLM\SOFTWARE\Microsoft\Jet\4.0\Transporter /v TransporterId /t REG_SZ /d {00000000-0000-0000-0000-000000000000}

md en-US
copy c:\WINDOWS\system32\en-US\calc.exe.mui c:\test\en-US\mstran40.exe.mui
copy c:\windows\system32\calc.exe c:\test\mstran40.exe

rundll32.exe msrepl40.dll,#2091

And if you are wondering why am I copying the En-us directory and the MUI file; this is to ensure calc.exe (renamed to mstran40.exe) finds its resources which are stored in a separate file (if I chose a different .exe e.g. any console-based program this wouldn’t be necessary, but we all want to see that Calculator, don’t we…).

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 5

March 15, 2018 in - Pass-Thru Command Execution, Anti-*, EDR, Living off the land

Update

After I posted it bohops provided one more variant:

rundll32.exe shdocvw.dll, OpenURL [path to file.url]

Thanks!

Old Post

This is nothing new, but just documenting for the sake of documenting.

It crossed my mind to look for all the DLLs that refer to OpenURL – an API that is exported by the url.dll – which is used to launch URLs (and was a subject of the first part of the series). I quickly discovered that ieframe.dll also exports identically named function; a quick googling around followed and I noticed it was a subject to previous analysis (CVE-2016-3353) – as a result, the vulnerability that allowed remote execution of code was patched.

Still, the built-in functionality can help to launch other programs via proxy e.g. using the .url file:

[InternetShortcut]
URL=file:///c:\windows\system32\calc.exe

and running:

rundll32 ieframe.dll, OpenURL <path to local URL file>

will launch calculator.