[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] DLL hijacking POC (failed, see for yourself)

To: "Christian Sciberras" <uuf6429@xxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] DLL hijacking POC (failed, see for yourself)
From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx>
Date: Tue, 14 Sep 2010 23:15:57 +0200

Christian Sciberras wrote:

> I wrote my own example POC.

and failed to use it right!

[...]

> DHPOC\example\the-install-folder\
> DHPOC\example\the-install-folder\dhpocApp.exe
> DHPOC\example\the-install-folder\dhpocDll.dll
> DHPOC\example\the-remote-folder
> DHPOC\example\the-remote-folder\example.dhpoc
> DHPOC\example\the-remote-folder\dhpocDll.dll
> 
> While testing this, I noticed that the dll hijack exploit completely
> failed my tests (on Windows 7 64bit).

No, you failed the test!
The "application directory" is ALWAYS the first one where both implicit
(referenced in the binary) as well as explicit (via LoadLibrary())
loading will search.

Next time, do your homework first!

Stefan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] DLL hijacking POC (failed, see for yourself)
  - From: Christian Sciberras

References:
- [Full-disclosure] DLL hijacking POC (failed, see for yourself)
  - From: Christian Sciberras

Prev by Date: [Full-disclosure] Secunia Research: Microsoft Outlook Content Parsing Integer Underflow Vulnerability
Next by Date: Re: [Full-disclosure] DLL hijacking with Autorun on a USB drive
Previous by thread: Re: [Full-disclosure] DLL hijacking POC (failed, see for yourself)
Next by thread: Re: [Full-disclosure] DLL hijacking POC (failed, see for yourself)
Index(es):
- Date
- Thread