Dll Hijacking what’s new?

This vulnerability is not so new as many people are thinking, in fact I’ve seen this approach many times in the past always related with cracking and unpacking stuff but the concept still the same.

There are tons of vulnerable targets, I’ve looked in my Programs Files directory in order to find some bugged applications and, as expected, I found two targets in less than fifteen minutes.

The first vulnerable appz i found is mIRC 7.15, take a look at this pictures from ProcMon:

As you can see mIRC checks everywhere to find the “libeay32.dll” and “dwmapi.dll” so everyone could build a fake library to inject/run his payload when mIRC is started. I’ve built a little POC that pop up a msgbox, you can find it here (must be placed into mirc’s directory).

Rar MD5 CheckSum : a4de3f6a0482263322042be4c0cf1ad5

Another bugged appz is Babylon-Pro:

Same as before, Babylon is looking for “besextension.dll” ,so you can use the previuos exploit just changing its name and placing it on babylon’s folder.

This class of vuln isn’t so hard to find and can be easily exploited via social engineering so the infection risk still high, I also found another employ for this vuln, recently I’ve reversed a botnet that use Dll Hijacking to spread and run itself, such trick could be very tedious when you are trying to clean up the system.

In the picture you can see the function that hijack dreamweaver cs4 (dwmapi.dll):

These few lines of c# are used to copy the malware from the memory and to flag it with “hidden” and “special” file attribute and then writedown the hijacked dwmapi.dll with the same flags so the user can’t see them without changing the directories options.

To be continued…


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s