Reflective DLL Injection, Windows x86 Bind Named Pipe Stager - Metasploit


This page contains detailed information about how to use the payload/windows/dllinject/bind_named_pipe metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
Module: payload/windows/dllinject/bind_named_pipe
Source code: modules/payloads/stagers/windows/bind_named_pipe.rb
Disclosure date: -
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): x86
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -

Inject a DLL via a reflective loader. Listen for a pipe connection (Windows x86)

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use payload/windows/dllinject/bind_named_pipe
msf payload(bind_named_pipe) > show options
    ... show and set options ...
msf payload(bind_named_pipe) > generate

To learn how to generate payload/windows/dllinject/bind_named_pipe with msfvenom, please read this.

Required Options

  • DLL: The local path to the Reflective DLL to upload

Go back to menu.

Msfconsole Usage

Here is how the windows/dllinject/bind_named_pipe payload looks in the msfconsole:

msf6 > use payload/windows/dllinject/bind_named_pipe

msf6 payload(windows/dllinject/bind_named_pipe) > show info

       Name: Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
     Module: payload/windows/dllinject/bind_named_pipe
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 349
       Rank: Normal

Provided by:
  sf <[email protected]>
  UserExistsError

Basic options:
Name       Current Setting  Required  Description
----       ---------------  --------  -----------
DLL                         yes       The local path to the Reflective DLL to upload
EXITFUNC   process          yes       Exit technique (Accepted: '', seh, thread, process, none)
LPORT      445              yes       SMB port
PIPENAME   msf-pipe         yes       Name of the pipe to connect to
RHOST                       no        Host of the pipe to connect to
SMBDomain  .                no        The Windows domain to use for authentication
SMBPass                     no        The password for the specified username
SMBUser                     no        The username to authenticate as

Description:
  Inject a DLL via a reflective loader. Listen for a pipe connection 
  (Windows x86)

Module Options

This is a complete list of options available in the windows/dllinject/bind_named_pipe payload:

msf6 payload(windows/dllinject/bind_named_pipe) > show options

Module options (payload/windows/dllinject/bind_named_pipe):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DLL                         yes       The local path to the Reflective DLL to upload
   EXITFUNC   process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT      445              yes       SMB port
   PIPENAME   msf-pipe         yes       Name of the pipe to connect to
   RHOST                       no        Host of the pipe to connect to
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as

Advanced Options

Here is a complete list of advanced options supported by the windows/dllinject/bind_named_pipe payload:

msf6 payload(windows/dllinject/bind_named_pipe) > show advanced

Module advanced options (payload/windows/dllinject/bind_named_pipe):

   Name                       Current Setting  Required  Description
   ----                       ---------------  --------  -----------
   EnableStageEncoding        false            no        Encode the second stage payload
   PayloadUUIDName                             no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                              no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                             no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking        false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries            0                yes       How many additional successful pingbacks
   PingbackSleep              30               yes       Time (in seconds) to sleep between pingbacks
   PrependMigrate             false            yes       Spawns and runs shellcode in new process
   PrependMigrateProc                          no        Process to spawn and run shellcode in
   SMBDirect                  true             yes       The target port is a raw SMB service (not NetBIOS)
   StageEncoder                                no        Encoder to use if EnableStageEncoding is set
   StageEncoderSaveRegisters                   no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
   StageEncodingFallback      true             no        Fallback to no encoding if the selected StageEncoder is not compatible
   VERBOSE                    false            no        Enable detailed status messages
   WAIT_TIMEOUT               10               no        Seconds pipe will wait for a connection
   WORKSPACE                                   no        Specify the workspace for this module

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • sf
  • UserExistsError

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.