Rapid7 Vulnerability & Exploit Database

DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation

Back to Search

DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation

Disclosed
05/08/2017
Created
09/10/2020

Description

This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the `ServerLevelPluginDll` value using dnscmd.exe to create a registry key at `HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\` named `ServerLevelPluginDll` that can be made to point to an arbitrary DLL. After doing so, restarting the service will load the DLL and cause it to execute, providing us with SYSTEM privileges. Increasing WfsDelay is recommended when using a UNC path. Users should note that if the DLLPath variable of this module is set to a UNC share that does not exist, the DNS server on the target will not be able to restart. Similarly if a UNC share is not utilized, and users instead opt to drop a file onto the disk of the target computer, and this gets picked up by Anti-Virus after the timeout specified by `AVTIMEOUT` expires, its possible that the `ServerLevelPluginDll` value of the `HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\` key on the target computer may point to an nonexistant DLL, which will also prevent the DNS server from being able to restart. Users are advised to refer to the documentation for this module for advice on how to resolve this issue should it occur. This module has only been tested and confirmed to work on Windows Server 2019 Standard Edition, however it should work against any Windows Server version up to and including Windows Server 2019.

Author(s)

  • Shay Ber
  • Imran E. Dawoodjee <imran@threathounds.com>

Platform

Windows

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/dnsadmin_serverlevelplugindll
msf exploit(dnsadmin_serverlevelplugindll) > show targets
    ...targets...
msf exploit(dnsadmin_serverlevelplugindll) > set TARGET < target-id >
msf exploit(dnsadmin_serverlevelplugindll) > show options
    ...show and set options...
msf exploit(dnsadmin_serverlevelplugindll) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;