Teams DLL Side-Jacking Cheatsheet

Last updated and confirmed working: 2023-06-20 by Rhino

Joff’s full documentation/instructions here: DLL Side Jacking Feature

1. Change the following setting in the PayloadBuffet configi file, BuffetConfig.yml:

NetClone:
    enable: True

2. Run your shellcode through PayloadBuffet as normal.
3. Open the MANIFEST file included with the output. Search it for: DLLThreadOnAttach: True
4. Pick one of the DLL payloads where you found DLLThreadOnAttach: True. (Not EXE. Not RDLL.)
5. For the payload you selected, there should be a version of that payload in the output folder that ends with _version_clone.dll.
   • Example: 0505_SimpleThread_rc_x64_version_clone.7z
     • ^ This particular file from the PayloadBuffet-NG output is tested and working with Teams as of 2023-06-15.
6. Rename the payload you selected to version.dll.
7. Upload version.dll to %LOCALAPPDATA%\Microsoft\Teams\current\.
   • Usually: C:\Users\<USERNAME>\AppData\Local\Microsoft\Teams\current\
8. Optional: Kill and/or restart Teams.exe.
9. When Teams.exe executes, version.dll will get executed.
   • It will take a few minutes for the shell to call back. Be patient when testing this.