2345 view tuwang's Remote Code Execution Vulnerability (with vulnerability POC)

Source: Internet
Author: User

2345 view tuwang's Remote Code Execution Vulnerability (with vulnerability POC)

2345 view the Remote Code Execution Vulnerability of tuwang.
(Young man, I think you are surprised by the bones. This amazing photo is for you for free)

Detailed description:

The 2345picviewer.exe process will try to load QuserEx in the same directory as the image. dll file, the image file and malicious QuserEx. the dll file is placed in the same directory, which can cause remote code execution (packaged and sent to the victim with various eye-catching titles, and the victim will be recruited after being unzipped ).

Proof of vulnerability:

First download the latest version of 2345 to view tuwang. The latest version on the official website is April 9, August 27, 2015, as shown below:

Now we need to compile a QuserEx. dll file. The Code is as follows (a dialog box is displayed to prove that the DLL can be loaded ):

#include 
 
  BOOL WINAPI DllMain(    HINSTANCE hinstDLL,    DWORD fdwReason,    LPVOID lpReserved ) {    switch( fdwReason )     {     case DLL_PROCESS_ATTACH:        MessageBoxA(            NULL,             "DLL hijacking vulnerability detected.",             "2345",             MB_ICONWARNING);        break;    case DLL_THREAD_ATTACH:        break;    case DLL_THREAD_DETACH:        break;    case DLL_PROCESS_DETACH:        break;    }    return TRUE;}
 

After compilation, the name is changed to quserex.dll. then, you can find an image, for example, windows8.png. We put quserex.dlland windows8.png in any folder, for example, all in the D: \ Test folder.
After confirming that the file format is PNG, the figure above shows that the DLL is successfully loaded, as shown in the following figure:


We can use Process assumerto confirm that the dllis in the 2345picviewer.exe Process, as shown in:
 

Proof complete!

Solution:

Call SetDllDirectory ("") in the 2345picviewer.exe process to set the current DLL search directory to null.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.