Dwight Hohnstein djhohnstein

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

Workshop Commands and Functions

Gettings Started

Requirements

An Internet Connection
Docker
VirusTotal Account (username and password)
The following headers, which can be gathered by examining the headers in Burp or DevTools.
- X-Recaptcha-Response

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

	import lief
	import struct
	import argparse

	def main( f = None, n = None, s = None, o = None ):
	try:
	peobj = lief.parse( f );
	scraw = open( s, 'rb+' ).read( );
	except FileNotFoundError:
	print('[!] {} does not exist. Pass a valid file path.'.format( args.s ));

	[
	[
	"NtLockProductActivationKeys",
	[
	"UInt32 *",
	"UInt32 *"
	]
	],
	[
	"NtLockProductActivationKeys",

	// ref: https://opensource.apple.com/source/dyld/[VERSION]/launch-cache/dsc_extractor.cpp.auto.html

	// > SDKROOT=`xcrun --sdk macosx --show-sdk-path`
	// > clang++ -o extract extract.cpp
	// > mkdir libraries
	// > ./extract /System/Library/dyld/dyld_shared_cache_x86_64 `pwd`/libraries/

	#include <stdio.h>
	#include <stddef.h>
	#include <dlfcn.h>

	function InvokeCreateCertificate(certSubject, isCA)
	{
	var CAsubject = certSubject;
	var dn = new ActiveXObject("X509Enrollment.CX500DistinguishedName");
	dn.Encode( "CN=" + CAsubject, 0);
	var issuer = "_TEST_CERT_INSTALL";
	var issuerdn = new ActiveXObject("X509Enrollment.CX500DistinguishedName");
	issuerdn.Encode("CN=" + issuer, 0);

	var key = new ActiveXObject("X509Enrollment.CX509PrivateKey");

	using System;
	using System.Collections.Generic;
	using System.Text;
	using System.CodeDom.Compiler;
	using Microsoft.CSharp;
	using System.IO;
	using System.Reflection;
	namespace InMemoryCompiler
	{
	class Program

	<Project Sdk="Microsoft.NET.Sdk">

	<PropertyGroup>
	<OutputType>exe</OutputType>
	<TargetFrameworks>net472;net5.0-windows</TargetFrameworks>
	</PropertyGroup>

	<ItemGroup>
	<PackageReference Include="System.IO.Pipes.AccessControl" Version="5.0.0" />
	</ItemGroup>

	use DynaLoader;
	use Devel::Peek;
	use Fcntl;
	use 5.008001; # because 5.6 doesn't have B::PV::object_2svref
	use Config;
	use B (); # for B::PV

	sub mmap {
	my ($addr, $size, $protect, $flags) = @_;
	syscall(197, $addr, $size, $protect, $flags, -1, 0);