Hacking

What is DLL Hijacking?

April 28, 2011 by Keatron Evans

PORTIONS OF THE BELOW EXPLANATION HAVE BEEN SOURCED FROM DLL HIJACKING DEFINITION AT MARAVIS.com AND HAVE BEEN GRANTED PERMISSION TO USE HERE AS A MEANS TO PREFACE THE ABOVE VIDEO

“Thanks for letting me know. I will be fine with a link to my post. You
don’t have to take it down..I have others copying entire posts and
putting them on their sites without even changing the title or links..”

Siva Ram CISA, PCI-QSA, PA-QSA
Web: http://www.maravis.com

In this video, we are going to demonstrate how DLL Hijacking works.

DLL Hijacking is an attack that exploits the way some Windows applications search and load Dynamic Link Libraries.

Most Windows applications will not use a fully qualified path to load any required DLLs. A bad guy can place a fake DLL for a known program in a location that is searched before the real DLL’s location and almost guarantee that the malicious DLL is loaded, resulting in whatever code the attacker wants to run running!

When programs are not written to specify the exact location of a required DLL, Windows will search for the DLL by name in a specific order. For instance, let’s say that the application, infosec.exe requires a DLL named learn.dll that is usually in the Windows system directory. If the application does not specify the exact path for learn.dll, Windows will search for the dll in the directory from which the application has been loaded first.

If a malicious hacker has placed his own version of learn.dll in the same directory as infosec.exe, then that DLL will be loaded instead of the real DLL. Windows just tries to find the first file that has the same name and does not verify if the file is actually the one that is required.

The vulnerability requires an attacker to convince someone to open a file using a vulnerable program such as Microsoft Word, PowerPoint or others from a remote network location (usually an smb share). If the vulnerable application tries to load an external DLL from the same location, the attack will most likely be successful.

The list of vulnerable programs seem to be growing daily. Even some anti-virus and security products are vulnerable. Imagine that! In this video, we’ll be using Windows Address Book program as our exploitable application. We’ll create a WAB file and share it out, then browse to the share from a patched Windows 7 machine. Just from that smb browsing activity (or in the real world, maybe someone clicking on a link), we’ll own that box instantly.

Enjoy.

Posted: April 28, 2011
Keatron Evans
View Profile

Keatron Evans is a cybersecurity and workforce development expert with over 17 years of experience in penetration testing, incident response and information security management for federal agencies and Fortune 500 organizations. He is Principal Cybersecurity Advisor at Infosec, where he empowers the human side of cybersecurity with cyber knowledge and skills to outsmart cybercrime. Keatron is an established researcher, instructor and speaker — and lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish. He regularly speaks at major industry events like RSA and serves as a cybersecurity subject matter expert for major media outlets like CNN, Fox News, Information Security Magazine and more. Keatron holds a Bachelor of Science in Business Information Systems and dozens of cybersecurity certifications, including Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Cloud Security Professional (CCSP) and Licensed Penetration Tester (LTP). When not teaching, speaking or managing his incident response business, KM Cyber Security LLC, Keatron enjoys practicing various martial arts styles, playing piano and bass guitar, and spending time with his family.

Website LinkedIn
In this series
Related boot camps
Ethical Hacking
Advanced Ethical Hacking
CompTIA PenTest+
Cloud Penetration Testing
Mobile and Web App Pentesting