Nytro Posted September 6, 2010 Report Share Posted September 6, 2010 The latest buzz word in the information security industry is “insecure DLL loading“, “DLL hijacking” or “DLL preloading“. Mr. HD Moore, the author of Metasploit has gone ahead and made it VERY easier for a lot of us to test such attacks at leisure. Hence you see such a spurt in proof-of-concept codes online! Mr. Peter Van Eeckhoutte has been maintaining a list of such vulnerable applications on his wonderful blog hosted here.This toolkit uses native JScript, automatically kills spawned processes, reduces the memory usage by ProcMon, and automatically validates every result from the CSV log. This is a complete re-write from the version 1 of the tool. This kit will turn your desktop PC into a vulnerability mincing machine by launching the file handlers for every registered file type, while recording whether or not a DLL was accessed within the working directory of the associated file! The DLLHijackAuditKit will help you verify if a application is vulnerable to DLL preloading attacks.How to use DLLHijackAuditKit v2?1. Download ProcMon from here and copy the procmon.exe binary into the DLLHijackAuditKit directory. Launch the Process Monitor, accept the EULA, and exit.2. Download Ruby from here and install it normally.3 .Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups.4. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name “Logfile.CSV”.5. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed.6. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.It is very easy to use but looking at today’s emerging tool this is small and also does the work! There are some known issues with this tool working on a Windows XP machine, etc. Hopefully Mr. Moore fixes them soon. Till then you can try being a vulnerability discoverer with this simple tool! Grab your pie while this vuln is hot!Download:http://www.metasploit.com/redmine/projects/framework/repository/raw/external/source/DLLHijackAuditKit.zipSursa: h4cky0u.org :: Login Quote Link to comment Share on other sites More sharing options...
