Skip to content
Implementation of the .NET Profiler DLL hijack in C#
C# C C++
Branch: master
Clone or download
Latest commit 1171f0d Dec 14, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
DNH Initial commit Dec 14, 2018
Payload Initial commit Dec 14, 2018
.gitignore Initial commit Dec 14, 2018
README.md Initial commit Dec 14, 2018

README.md

.NET Profiler DLL Hijack

Background

The .NET Framework can be coerced into loading a profiling DLL into any .NET assembly when launched. This is done when a handful of environment variables and registry keys are set. For a full write-up you can view this blog here: https://offsec.provadys.com/UAC-bypass-dotnet.html

Building and Using

The "Payload" project holds the main DLL to drop to disk. This DLL simply executes the specified command (but could be more). In the case of this project it starts mshta.exe pointing to an HTA file dropped to disk. If you want to change the command ran, you'll have to edit dllmain.cpp.

The "DNH" project is the staging executable. For this project, you should ADD two resources: the Payload.dll and the HTA file you wish to execute. The DNH project prepares the environment variables, writes the payload dll and evil hta to disk, then launches a process that uses the .NET framework. After it's been executed it cleans up the registry keys and environment variables set. You should see the HTA running with elevated rights. To change the staging process, edit Program.cs as required.

Your command doesn't have to involve any HTAs, it can be any arbitrary code. This was just the quickest way I found to weaponize it. Once DNH.exe is built, simply issue execute-assembly from beacon or otherwise to execute.

You can’t perform that action at this time.