Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Combining DLL hijacking with USB keyboard emulation based attacks

From: Rodrigo Menezes <rodrigo () rapidlight io>
Date: Fri, 08 Jan 2016 00:50:51 -0200
Many of us have now been long aware of the possibility of programming an USB device to emulate a keyboard and 
automatically send keystrokes in order to perform malicious actions on a computer. Some of the most interesting 
payloads that can be used with this technique are based around downloading or creating an executable file and then 
running it.

However, defenses such as Windows' User Account Control (UAC) and SmartScreen might make this more complicated. While 
it's certainly possible to bypass them by sending the right sequence of keystrokes, they tend to make the payload 
longer, less stealthy and more likely to fail.

I'd like to bring to light that this attack could be combined with DLL hijacking, with some benefits for the attacker.

For instance, a payload which simply downloads a DLL to the current user's folder tends to complete faster and be more 
reliable than one which tries to transfer an executable AND immediately run it. The DLL would then most likely be found 
and executed by a vulnerable installer, such as described by this Matt Howard's thread from 2012 on this list 
&lt;http://seclists.org/fulldisclosure/2012/Aug/134&gt; and brought up again by the more recent efforts of Stefan 
Kanthak &lt;http://seclists.org/fulldisclosure/2015/Nov/101&gt;. This way, there would be no need for embeeding in the 
payload a complicated attempt of bypassing the active defense mechanisms.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: