DLL hijacking attack Guide

DLL hijacking attack Guide

The DLL (Dynamic Link Library) file is a Dynamic Link Library file, also known as "application expansion", and is a software file type. In Windows, many applications are not a complete executable file. They are divided into relatively independent dynamic link libraries, that is, DLL files, which are placed in the system. When we execute a program, the corresponding DLL file will be called. An application can use multiple DLL files. a dll file may also be used by different applications. Such a DLL file is called a shared DLL file.
DLL hijacking is a vulnerability that exists in all versions of Windows. This vulnerability may be triggered when a user performs an illegal operation. Many people think that this is a function of the Windows operating system, rather than a vulnerability. This mechanism was specially designed by Microsoft.
To put it simply, you can create a custom malicious dll file and put it in a directory together with a normal file. When this normal file is opened by a vulnerable application, your custom dll file will be loaded and the code you embed will be executed. We must specify the file name dedicated to this malicious dll file for each vulnerable application. Don't worry, we can easily complete this step by using any debugging tool.
In addition, I also provide some reference articles and demonstration videos below the article. If you really want to learn more about dll files, please refer to these materials.
So, let's take a look at what unexpected gains this "function" can bring to us!
Step 1: DLL Hijacking Auditor (DLL Hijacking Auditor)
First, we need to use the DLL hijacking audit program, which is the latest version of the DLL hijacking audit suite developed by the famous hacker HD Moore. Users can click the following address to get the download page of the program: http://securityxploded.com/dllhijackauditor.php
I will scan and detect Cool Edit Pro2 (which sounds like an editing software), and show my scan process and results:
(Note: I have not found any information about this vulnerability on the network)
　　

　　

　　

　　

Step 2: Use Msfvenom to create malicious DLL files
Now that we know that the coolburn. dll Vulnerability exists, we can use msfvenom to create a dll payload for meterpreter.
　　

Now our coolburn. dll file has been created, and we put it in the Cool Edit Pro folder.
　　

Step 3: load the application and Meterpreter
After we set all handlerers, we double-click the application map (coolpro2.exe) and start it.
　　

Step 4: Is this a vulnerability or a "function"?
　　

　　

Step 5: link and Demo Video
MSDN page:
Http://msdn.microsoft.com/en-us/library/ms686203%28VS.85%29.aspx
Corelan blog-list of applications with vulnerabilities (DLL hijacking) (unofficial ):
Http://www.corelan.be: 8800/index. php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
Exploit-db website-provides a list of applications with vulnerabilities (DLL hijacking)
Http://www.exploit-db.com/dll-hijacking-vulnerable-applications/
Using DLL hijacking to improve permissions:

UTorrent DLL hijacking: