module
DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation
| Disclosed | Created |
|---|---|
| 05/08/2017 | 09/10/2020 |
Disclosed
05/08/2017
Created
09/10/2020
Description
This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the
`ServerLevelPluginDll` value using dnscmd.exe to create a registry key at `HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\`
named `ServerLevelPluginDll` that can be made to point to an arbitrary DLL. After doing so, restarting the service
will load the DLL and cause it to execute, providing us with SYSTEM privileges. Increasing WfsDelay is recommended
when using a UNC path.
Users should note that if the DLLPath variable of this module is set to a UNC share that does not exist,
the DNS server on the target will not be able to restart. Similarly if a UNC share is not utilized, and
users instead opt to drop a file onto the disk of the target computer, and this gets picked up by Anti-Virus
after the timeout specified by `AVTIMEOUT` expires, its possible that the `ServerLevelPluginDll` value of the
`HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\` key on the target computer may point to an nonexistant DLL,
which will also prevent the DNS server from being able to restart. Users are advised to refer to the documentation for
this module for advice on how to resolve this issue should it occur.
This module has only been tested and confirmed to work on Windows Server 2019 Standard Edition, however it should work against any Windows
Server version up to and including Windows Server 2019.
`ServerLevelPluginDll` value using dnscmd.exe to create a registry key at `HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\`
named `ServerLevelPluginDll` that can be made to point to an arbitrary DLL. After doing so, restarting the service
will load the DLL and cause it to execute, providing us with SYSTEM privileges. Increasing WfsDelay is recommended
when using a UNC path.
Users should note that if the DLLPath variable of this module is set to a UNC share that does not exist,
the DNS server on the target will not be able to restart. Similarly if a UNC share is not utilized, and
users instead opt to drop a file onto the disk of the target computer, and this gets picked up by Anti-Virus
after the timeout specified by `AVTIMEOUT` expires, its possible that the `ServerLevelPluginDll` value of the
`HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\` key on the target computer may point to an nonexistant DLL,
which will also prevent the DNS server from being able to restart. Users are advised to refer to the documentation for
this module for advice on how to resolve this issue should it occur.
This module has only been tested and confirmed to work on Windows Server 2019 Standard Edition, however it should work against any Windows
Server version up to and including Windows Server 2019.
Authors
Shay BerImran E. Dawoodjee
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/windows/local/dnsadmin_serverlevelplugindll
msf /(l) > show actions
...actions...
msf /(l) > set ACTION < action-name >
msf /(l) > show options
...show and set options...
msf /(l) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.