lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AANLkTinHSi9UYUeDsBZSEVMR+o5QM6AzFpFwCNXXtqoS@mail.gmail.com>
Date: Thu, 2 Sep 2010 01:43:41 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject:  DLL hijacking POC (failed, see for yourself)

I wrote my own example POC.

The files described herein can be found at:
http://www.megafileupload.com/en/file/264741/DHPOC-zip.html

The above zip files contains: binaries, sources, example (folder structure)

The source code is in Pascal, written in Lazarus to be precise.

There are 3 executables: dhpocApp.exe, dhpocDll.good.dll, dhpocDll.bad.dll
The 2 dlls are renamed to dhpocDll.dll during tests (the example structure):

DHPOC\example\the-install-folder\
DHPOC\example\the-install-folder\dhpocApp.exe
DHPOC\example\the-install-folder\dhpocDll.dll
DHPOC\example\the-remote-folder
DHPOC\example\the-remote-folder\example.dhpoc
DHPOC\example\the-remote-folder\dhpocDll.dll

While testing this, I noticed that the dll hijack exploit completely
failed my tests (on Windows 7 64bit).
That is, the dll inside the-remote-folder was never loaded, that is,
even when example.dhpoc was opened.
Also not that in order to fully test it out, I also chdir'd to the
target file directory, ie, the-remote-folder; to no avail.

The only way I got it working was by renaming/deleting dhpocDll.dll in
the-install-folder to something else, in which case running
dhpocApp.exe failed while opening example.dhpoc caused the bad dll to
load.

Finally, I tried testing the zip issue mentioned lately.

With everything set up correctly (zipped the-remote-folder and
the-install-folder uncompressed), it worked as expected, ie the good
dll was loaded.
After removing the dll from the-install-folder, the program ceased to
work correctly, ie, it neither loaded the zipped dll nor could it load
the initial dll.




I ran these tests and wrote this code under an hour, so I can
guarantee there might be serious flaws around, or things which I
should have tested but didn't.
So far, I've ran these tests twice, so unless I've got a software
fault (which somehow made the software secure?!), this dll hijack
issue is either a thing of the best, pretty rare, or, pretty much
useless (consider the recent POC where the user was required to open a
contact book several before it hopefully worked...).



Cheers,
Christian Sciberras.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ