source: https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
This technique involves a feature of Windows System, known as "mock directories", that permits user to create an "imitation" directory, and can be created by creating a directory than contains a trailing space in the end of the original path. Those cannot be created with Explorer UI, but can only if done through a program or a shell script. Also, requires a subdirectory.
An example of it could be:
Windows allow under certain directories and for some apps, to bypass UAC and authentication prompt. Windows applies this clause also to applications inside a mock directory. So,if we copy a file from original directory to our mocked one, we can run this app as administrator and without UAC. We can also copy a dll, that is required by the application, with embedded and arbitrary code with it.
A list of vulnerable applications is available here.
In order to proceed, we need to craft the malicious DLL. We need a DLL Template to craft one. We can obtain it by rebuilding the EAT, or to use a readily available source of that dll.
Other informations how to craft the DLL can be found here.
An example of weaponization of this technique is to download the dll and exe, then create the mock directory with this powershell command:
After that we can copy the DLL and App into the new directory just created and run them to execute Local Admin code without UAC prompt.
This technique involves a feature of Windows System, known as "mock directories", that permits user to create an "imitation" directory, and can be created by creating a directory than contains a trailing space in the end of the original path. Those cannot be created with Explorer UI, but can only if done through a program or a shell script. Also, requires a subdirectory.
An example of it could be:
Код:
C:\Windows \syswow64\Windows allow under certain directories and for some apps, to bypass UAC and authentication prompt. Windows applies this clause also to applications inside a mock directory. So,if we copy a file from original directory to our mocked one, we can run this app as administrator and without UAC. We can also copy a dll, that is required by the application, with embedded and arbitrary code with it.
A list of vulnerable applications is available here.
windows-dll-hijacking/dll_hijacking_candidates.csv at master · wietze/windows-dll-hijacking
Project for identifying executables and DLLs vulnerable to relative path DLL hijacking. - wietze/windows-dll-hijacking
github.com
In order to proceed, we need to craft the malicious DLL. We need a DLL Template to craft one. We can obtain it by rebuilding the EAT, or to use a readily available source of that dll.
Other informations how to craft the DLL can be found here.
GitHub - wietze/windows-dll-hijacking: Project for identifying executables and DLLs vulnerable to relative path DLL hijacking.
Project for identifying executables and DLLs vulnerable to relative path DLL hijacking. - wietze/windows-dll-hijacking
github.com
An example of weaponization of this technique is to download the dll and exe, then create the mock directory with this powershell command:
Код:
New-Item "\\?\C:\Windows \System32" -ItemType Directory #if the target dll is 64 bits
Код:
New-Item "\\?\C:\Windows \System32" -ItemType Directory #if the target dll is 32 bits