Re: DLL hijacking POC (failed, see for yourself)

[Christian Sciberras <uuf6429 () gmail com>]

It was tested on a fully patched version of Windows.
Even so, I find it a bit weird that they changed this much functionality
abruptly.
I'll have to check the recent updates about this.

Cheers,
Chris.




On Thu, Sep 2, 2010 at 6:05 AM, p8x <l () p8x net> wrote:

> Hi Christian,
>
> I noticed MS pushed out an update a couple of days ago - on the PC's that
> have had the update applied the POC does not work for me, where as an
> unpatched machine the POC works.
>
> Has that update been installed?
>
> p8x
>
>
> On 2/09/2010 7:43 AM, Christian Sciberras wrote:
>
> > I wrote my own example POC.
> >
> > The files described herein can be found at:
> > http://www.megafileupload.com/en/file/264741/DHPOC-zip.html
> >
> > The above zip files contains: binaries, sources, example (folder
> > structure)
> >
> > The source code is in Pascal, written in Lazarus to be precise.
> >
> > There are 3 executables: dhpocApp.exe, dhpocDll.good.dll, dhpocDll.bad.dll
> > The 2 dlls are renamed to dhpocDll.dll during tests (the example
> > structure):
> >
> > DHPOC\example\the-install-folder\
> > DHPOC\example\the-install-folder\dhpocApp.exe
> > DHPOC\example\the-install-folder\dhpocDll.dll
> > DHPOC\example\the-remote-folder
> > DHPOC\example\the-remote-folder\example.dhpoc
> > DHPOC\example\the-remote-folder\dhpocDll.dll
> >
> > While testing this, I noticed that the dll hijack exploit completely
> > failed my tests (on Windows 7 64bit).
> > That is, the dll inside the-remote-folder was never loaded, that is,
> > even when example.dhpoc was opened.
> > Also not that in order to fully test it out, I also chdir'd to the
> > target file directory, ie, the-remote-folder; to no avail.
> >
> > The only way I got it working was by renaming/deleting dhpocDll.dll in
> > the-install-folder to something else, in which case running
> > dhpocApp.exe failed while opening example.dhpoc caused the bad dll to
> > load.
> >
> > Finally, I tried testing the zip issue mentioned lately.
> >
> > With everything set up correctly (zipped the-remote-folder and
> > the-install-folder uncompressed), it worked as expected, ie the good
> > dll was loaded.
> > After removing the dll from the-install-folder, the program ceased to
> > work correctly, ie, it neither loaded the zipped dll nor could it load
> > the initial dll.
> >
> >
> >
> >
> > I ran these tests and wrote this code under an hour, so I can
> > guarantee there might be serious flaws around, or things which I
> > should have tested but didn't.
> > So far, I've ran these tests twice, so unless I've got a software
> > fault (which somehow made the software secure?!), this dll hijack
> > issue is either a thing of the best, pretty rare, or, pretty much
> > useless (consider the recent POC where the user was required to open a
> > contact book several before it hopefully worked...).
> >
> >
> >
> > Cheers,
> > Christian Sciberras.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/