Hi Christian, I noticed MS pushed out an update a couple of days ago - on the PC's that have had the update applied the POC does not work for me, where as an unpatched machine the POC works.
Has that update been installed? p8x On 2/09/2010 7:43 AM, Christian Sciberras wrote: > I wrote my own example POC. > > The files described herein can be found at: > http://www.megafileupload.com/en/file/264741/DHPOC-zip.html > > The above zip files contains: binaries, sources, example (folder structure) > > The source code is in Pascal, written in Lazarus to be precise. > > There are 3 executables: dhpocApp.exe, dhpocDll.good.dll, dhpocDll.bad.dll > The 2 dlls are renamed to dhpocDll.dll during tests (the example structure): > > DHPOC\example\the-install-folder\ > DHPOC\example\the-install-folder\dhpocApp.exe > DHPOC\example\the-install-folder\dhpocDll.dll > DHPOC\example\the-remote-folder > DHPOC\example\the-remote-folder\example.dhpoc > DHPOC\example\the-remote-folder\dhpocDll.dll > > While testing this, I noticed that the dll hijack exploit completely > failed my tests (on Windows 7 64bit). > That is, the dll inside the-remote-folder was never loaded, that is, > even when example.dhpoc was opened. > Also not that in order to fully test it out, I also chdir'd to the > target file directory, ie, the-remote-folder; to no avail. > > The only way I got it working was by renaming/deleting dhpocDll.dll in > the-install-folder to something else, in which case running > dhpocApp.exe failed while opening example.dhpoc caused the bad dll to > load. > > Finally, I tried testing the zip issue mentioned lately. > > With everything set up correctly (zipped the-remote-folder and > the-install-folder uncompressed), it worked as expected, ie the good > dll was loaded. > After removing the dll from the-install-folder, the program ceased to > work correctly, ie, it neither loaded the zipped dll nor could it load > the initial dll. > > > > > I ran these tests and wrote this code under an hour, so I can > guarantee there might be serious flaws around, or things which I > should have tested but didn't. > So far, I've ran these tests twice, so unless I've got a software > fault (which somehow made the software secure?!), this dll hijack > issue is either a thing of the best, pretty rare, or, pretty much > useless (consider the recent POC where the user was required to open a > contact book several before it hopefully worked...). > > > > Cheers, > Christian Sciberras. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
