mailing list archives
DLL hijacking POC (failed, see for yourself)
From: Christian Sciberras <uuf6429 () gmail com>
Date: Thu, 2 Sep 2010 01:43:41 +0200
I wrote my own example POC.
The files described herein can be found at:
The above zip files contains: binaries, sources, example (folder structure)
The source code is in Pascal, written in Lazarus to be precise.
There are 3 executables: dhpocApp.exe, dhpocDll.good.dll, dhpocDll.bad.dll
The 2 dlls are renamed to dhpocDll.dll during tests (the example structure):
While testing this, I noticed that the dll hijack exploit completely
failed my tests (on Windows 7 64bit).
That is, the dll inside the-remote-folder was never loaded, that is,
even when example.dhpoc was opened.
Also not that in order to fully test it out, I also chdir'd to the
target file directory, ie, the-remote-folder; to no avail.
The only way I got it working was by renaming/deleting dhpocDll.dll in
the-install-folder to something else, in which case running
dhpocApp.exe failed while opening example.dhpoc caused the bad dll to
Finally, I tried testing the zip issue mentioned lately.
With everything set up correctly (zipped the-remote-folder and
the-install-folder uncompressed), it worked as expected, ie the good
dll was loaded.
After removing the dll from the-install-folder, the program ceased to
work correctly, ie, it neither loaded the zipped dll nor could it load
the initial dll.
I ran these tests and wrote this code under an hour, so I can
guarantee there might be serious flaws around, or things which I
should have tested but didn't.
So far, I've ran these tests twice, so unless I've got a software
fault (which somehow made the software secure?!), this dll hijack
issue is either a thing of the best, pretty rare, or, pretty much
useless (consider the recent POC where the user was required to open a
contact book several before it hopefully worked...).
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- DLL hijacking POC (failed, see for yourself) Christian Sciberras (Sep 01)