[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTinxo-2Px6u0RdoP8KzEHKZY06NSjofOaHFeaE8J@mail.gmail.com>
Date: Thu, 2 Sep 2010 08:17:03 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: p8x <l@....net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DLL hijacking POC (failed, see for yourself)
It was tested on a fully patched version of Windows.
Even so, I find it a bit weird that they changed this much functionality
abruptly.
I'll have to check the recent updates about this.
Cheers,
Chris.
On Thu, Sep 2, 2010 at 6:05 AM, p8x <l@....net> wrote:
> Hi Christian,
>
> I noticed MS pushed out an update a couple of days ago - on the PC's that
> have had the update applied the POC does not work for me, where as an
> unpatched machine the POC works.
>
> Has that update been installed?
>
> p8x
>
>
> On 2/09/2010 7:43 AM, Christian Sciberras wrote:
>
>> I wrote my own example POC.
>>
>> The files described herein can be found at:
>> http://www.megafileupload.com/en/file/264741/DHPOC-zip.html
>>
>> The above zip files contains: binaries, sources, example (folder
>> structure)
>>
>> The source code is in Pascal, written in Lazarus to be precise.
>>
>> There are 3 executables: dhpocApp.exe, dhpocDll.good.dll, dhpocDll.bad.dll
>> The 2 dlls are renamed to dhpocDll.dll during tests (the example
>> structure):
>>
>> DHPOC\example\the-install-folder\
>> DHPOC\example\the-install-folder\dhpocApp.exe
>> DHPOC\example\the-install-folder\dhpocDll.dll
>> DHPOC\example\the-remote-folder
>> DHPOC\example\the-remote-folder\example.dhpoc
>> DHPOC\example\the-remote-folder\dhpocDll.dll
>>
>> While testing this, I noticed that the dll hijack exploit completely
>> failed my tests (on Windows 7 64bit).
>> That is, the dll inside the-remote-folder was never loaded, that is,
>> even when example.dhpoc was opened.
>> Also not that in order to fully test it out, I also chdir'd to the
>> target file directory, ie, the-remote-folder; to no avail.
>>
>> The only way I got it working was by renaming/deleting dhpocDll.dll in
>> the-install-folder to something else, in which case running
>> dhpocApp.exe failed while opening example.dhpoc caused the bad dll to
>> load.
>>
>> Finally, I tried testing the zip issue mentioned lately.
>>
>> With everything set up correctly (zipped the-remote-folder and
>> the-install-folder uncompressed), it worked as expected, ie the good
>> dll was loaded.
>> After removing the dll from the-install-folder, the program ceased to
>> work correctly, ie, it neither loaded the zipped dll nor could it load
>> the initial dll.
>>
>>
>>
>>
>> I ran these tests and wrote this code under an hour, so I can
>> guarantee there might be serious flaws around, or things which I
>> should have tested but didn't.
>> So far, I've ran these tests twice, so unless I've got a software
>> fault (which somehow made the software secure?!), this dll hijack
>> issue is either a thing of the best, pretty rare, or, pretty much
>> useless (consider the recent POC where the user was required to open a
>> contact book several before it hopefully worked...).
>>
>>
>>
>> Cheers,
>> Christian Sciberras.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists