Thick Client Security - Basic DLL Hijacking Vulnerability
Description: Loading dll files from an untrusted source can cause an application to execute malicious commands on behalf of an attacker. It allows an unauthenticated malicious attacker to exploit the DLL loading vulnerability. user whose device is undergoing this exploit won’t even realize it until the process has been exploited to inject malware into the system. The malicious dll execution runs in the background without requiring any user input to run its arbitrary code.
Impact: It can execute the malicious code contained in the file and may compromise your computer or network.
Tools & OS used: Windows 7, Kali linux, vulnerable application, process monitor(microsoft sysinternals tool).
Step1: Capture the traffic using Microsoft sysinternals tool “process monitor” and use proper filter while capturing the traffic as shown below.
Step2: Open the vulnerable application and look for name not found dll’s belongs to application.
Step3: In the below screenshots one can observe that application is looking for 2 dll’s at desktop location and the dll’s are dwmapi.dll & CRYPTBASE.dll
Step4: Now we need to craft a malicious dll using below code, so save the below code in .c format using windows operating system and copy the .c file to kali linux.
Step5: Now compile the above .c file to .dll format using gcc compiler in kali linux. below are the commands
For 64 bit machine : x86_64-w64-mingw32-gcc hi.c -shared -o inject.dll
For 32 bit machine : i686-w64-mingw32-gcc hi.c -shared -o inject.dll
Step6: Now copy the newly generated malicious dll (inject.dll) to victim machine (windows 7). Rename the malicious dll to CRYPTBASE.dll or dwmapi.dll and save in desktop(desktop is the location where the dll’s are not found).
Step7: Close and restart the application. when application calls this malicious dll we can observe the pop up which says dll hijacked.
References:
https://github.com/r00t-3xp10it/venom/issues/1
https://www.exploit-db.com/exploits/14789
Note: This is the basic & first step to identify the dll hijacking vulnerability, in my next blog i will explain you guys how to take reverse shell using the dll hijacking vulnerability.
!! Happy Learning !!
