Full Disclosure mailing list archives

DLL hijacking POC (failed, see for yourself)

From: Christian Sciberras <uuf6429 () gmail com>
Date: Thu, 2 Sep 2010 01:43:41 +0200

I wrote my own example POC.

The files described herein can be found at:
http://www.megafileupload.com/en/file/264741/DHPOC-zip.html

The above zip files contains: binaries, sources, example (folder structure)

The source code is in Pascal, written in Lazarus to be precise.

There are 3 executables: dhpocApp.exe, dhpocDll.good.dll, dhpocDll.bad.dll
The 2 dlls are renamed to dhpocDll.dll during tests (the example structure):

DHPOC\example\the-install-folder\
DHPOC\example\the-install-folder\dhpocApp.exe
DHPOC\example\the-install-folder\dhpocDll.dll
DHPOC\example\the-remote-folder
DHPOC\example\the-remote-folder\example.dhpoc
DHPOC\example\the-remote-folder\dhpocDll.dll

While testing this, I noticed that the dll hijack exploit completely
failed my tests (on Windows 7 64bit).
That is, the dll inside the-remote-folder was never loaded, that is,
even when example.dhpoc was opened.
Also not that in order to fully test it out, I also chdir'd to the
target file directory, ie, the-remote-folder; to no avail.

The only way I got it working was by renaming/deleting dhpocDll.dll in
the-install-folder to something else, in which case running
dhpocApp.exe failed while opening example.dhpoc caused the bad dll to
load.

Finally, I tried testing the zip issue mentioned lately.

With everything set up correctly (zipped the-remote-folder and
the-install-folder uncompressed), it worked as expected, ie the good
dll was loaded.
After removing the dll from the-install-folder, the program ceased to
work correctly, ie, it neither loaded the zipped dll nor could it load
the initial dll.




I ran these tests and wrote this code under an hour, so I can
guarantee there might be serious flaws around, or things which I
should have tested but didn't.
So far, I've ran these tests twice, so unless I've got a software
fault (which somehow made the software secure?!), this dll hijack
issue is either a thing of the best, pretty rare, or, pretty much
useless (consider the recent POC where the user was required to open a
contact book several before it hopefully worked...).



Cheers,
Christian Sciberras.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

DLL hijacking POC (failed, see for yourself) Christian Sciberras (Sep 01)
- Re: DLL hijacking POC (failed, see for yourself) p8x (Sep 01)
  - Re: DLL hijacking POC (failed, see for yourself) Christian Sciberras (Sep 01)
  - Re: DLL hijacking POC (failed, see for yourself) YGN Ethical Hacker Group (Sep 02)
    - Re: DLL hijacking POC (failed, see for yourself) YGN Ethical Hacker Group (Sep 02)
    - Re: DLL hijacking POC (failed, see for yourself) Christian Sciberras (Sep 02)
    - Re: DLL hijacking POC (failed, see for yourself) Darren McDonald (Sep 02)
    - Re: DLL hijacking POC (failed, see for yourself) Christian Sciberras (Sep 02)
    - Message not available
    - Re: DLL hijacking POC (failed, see for yourself) Christian Sciberras (Sep 02)
    - Re: DLL hijacking POC (failed, see for yourself) Darren McDonald (Sep 02)
    - Re: DLL hijacking POC (failed, see for yourself) Darren McDonald (Sep 02)

(Thread continues...)