[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4C7F2288.8060409@p8x.net>
Date: Thu, 02 Sep 2010 12:05:28 +0800
From: p8x <l@....net>
To: Christian Sciberras <uuf6429@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DLL hijacking POC (failed, see for yourself)
Hi Christian,
I noticed MS pushed out an update a couple of days ago - on the PC's
that have had the update applied the POC does not work for me, where as
an unpatched machine the POC works.
Has that update been installed?
p8x
On 2/09/2010 7:43 AM, Christian Sciberras wrote:
> I wrote my own example POC.
>
> The files described herein can be found at:
> http://www.megafileupload.com/en/file/264741/DHPOC-zip.html
>
> The above zip files contains: binaries, sources, example (folder structure)
>
> The source code is in Pascal, written in Lazarus to be precise.
>
> There are 3 executables: dhpocApp.exe, dhpocDll.good.dll, dhpocDll.bad.dll
> The 2 dlls are renamed to dhpocDll.dll during tests (the example structure):
>
> DHPOC\example\the-install-folder\
> DHPOC\example\the-install-folder\dhpocApp.exe
> DHPOC\example\the-install-folder\dhpocDll.dll
> DHPOC\example\the-remote-folder
> DHPOC\example\the-remote-folder\example.dhpoc
> DHPOC\example\the-remote-folder\dhpocDll.dll
>
> While testing this, I noticed that the dll hijack exploit completely
> failed my tests (on Windows 7 64bit).
> That is, the dll inside the-remote-folder was never loaded, that is,
> even when example.dhpoc was opened.
> Also not that in order to fully test it out, I also chdir'd to the
> target file directory, ie, the-remote-folder; to no avail.
>
> The only way I got it working was by renaming/deleting dhpocDll.dll in
> the-install-folder to something else, in which case running
> dhpocApp.exe failed while opening example.dhpoc caused the bad dll to
> load.
>
> Finally, I tried testing the zip issue mentioned lately.
>
> With everything set up correctly (zipped the-remote-folder and
> the-install-folder uncompressed), it worked as expected, ie the good
> dll was loaded.
> After removing the dll from the-install-folder, the program ceased to
> work correctly, ie, it neither loaded the zipped dll nor could it load
> the initial dll.
>
>
>
>
> I ran these tests and wrote this code under an hour, so I can
> guarantee there might be serious flaws around, or things which I
> should have tested but didn't.
> So far, I've ran these tests twice, so unless I've got a software
> fault (which somehow made the software secure?!), this dll hijack
> issue is either a thing of the best, pretty rare, or, pretty much
> useless (consider the recent POC where the user was required to open a
> contact book several before it hopefully worked...).
>
>
>
> Cheers,
> Christian Sciberras.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists