Skip to content

Changes

Page history
Update dll hijacking authored by Glass, Devon C. (S&T-Student)'s avatar Glass, Devon C. (S&T-Student)
Show whitespace changes
Inline Side-by-side
dll-hijacking.md
View page @ fb97c29c
......@@ -11,7 +11,7 @@ Cases in which it's possible to still DLL Hijack are:
## Walk-through
##### This section is encompass a walk-through of finding vulnerable programs and making DLL hijacking them to get escalated code execution.
##### This section will encompass a walk-through of finding vulnerable programs and DLL hijacking them to get escalated code execution.
The easiest way to find vulnerable program to search a CVE database.
In the example I use for this walk-trough I used https://cve.mitre.org/ and looked for commonly used programs susceptible to DLL Hijacking.
......@@ -39,12 +39,12 @@ After Ghidra chews through the program you should have symbol tree on the left.
Weirdly enough AVRT.dll doesn't have an function calls in Audacity but that's ok because as long as it loads the dll we can get code execution.
Now that we have the target dll and the functions that are called it's time to make a fake DLL to replace it. The best program for this is Visual Studio. You can just make a dll project which will start you with all basic code needed for a function dll.
Now that we have the target dll and the functions that are called it's time to make a fake DLL to replace it. The best program for this is Visual Studio. You can just make a dll project which will start you with all the basic code needed for a functional dll.
My custom AVRT.dll looks something like this:
![vsdll](uploads/e6ef4e841098c33ed5fe3c4fbde176b6/vsdll.png)
This dll spawns a new cmd window every 5 seconds audacity is open, it's more to be annoying than malicious but you could also make basically any system call or execute power shell script with this method as well. The DLLMain is the same as any main function in a general c++ program and DLL_PROCESS_ATTACH is called when the dll is loaded by the program which means you can put code there to have it execute on load.
This dll spawns a new cmd window every 5 seconds Audacity is open, it's more to be annoying than malicious but you could also make basically any system call or execute power shell script with this method as well. The DLLMain is the same as any main function in a general c++ program and DLL_PROCESS_ATTACH is called when the dll is loaded by the program which means you can put code there to have it execute on load.
After writing the code just build the dll in VS. Then rename it and drop it somewhere the program will execute, the safest bet is in the same folder as the program executable.
![addDll](uploads/68e59b3e76cf1fac988a0c561efa0c02/addDll.png)
......@@ -53,8 +53,7 @@ Notice how the dll doesn't standout, it looks just like any other dll file that
![aftermath](uploads/56d6cdd18059e25340b978aec59b3d31/aftermath.png)
That's a lot of cmd windows!
#### Sources:
https://hacknpentest.com/windows-privilege-escalation-dll-hijacking/