[FD] Combining DLL hijacking with USB keyboard emulation based attacks

[Rodrigo Menezes <rodrigo@xxxxxxxxxxxxx>]

Many of us have now been long aware of the possibility of programming an USB 
device to emulate a keyboard and automatically send keystrokes in order to 
perform malicious actions on a computer. Some of the most interesting payloads 
that can be used with this technique are based around downloading or creating 
an executable file and then running it.

However, defenses such as Windows' User Account Control (UAC) and SmartScreen 
might make this more complicated. While it's certainly possible to bypass them 
by sending the right sequence of keystrokes, they tend to make the payload 
longer, less stealthy and more likely to fail.

I'd like to bring to light that this attack could be combined with DLL 
hijacking, with some benefits for the attacker.

For instance, a payload which simply downloads a DLL to the current user's 
folder tends to complete faster and be more reliable than one which tries to 
transfer an executable AND immediately run it. The DLL would then most likely 
be found and executed by a vulnerable installer, such as described by this Matt 
Howard's thread from 2012 on this list 
<http://seclists.org/fulldisclosure/2012/Aug/134> and brought up again by 
the more recent efforts of Stefan Kanthak 
<http://seclists.org/fulldisclosure/2015/Nov/101>. This way, there would 
be no need for embeeding in the payload a complicated attempt of bypassing the 
active defense mechanisms.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/