Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

WebDAV Application DLL Hijacking Exploitation and Prevention Part 1

Created: 14 Jan 2012 • Updated: 16 Feb 2012 | 1 comment
Language Translations
Sanehdeep Singh's picture
+15 15 Votes
Login to vote

In 1st Part I am explaining the procedure of exploitation of WebDAV Application DLL Hijacking Vulnerability in Windows and In 2nd Part I will show you how to prevent exploitation of WebDAV Application DLL Hijacking Vulnerability in Windows with Symantec Critical System Protection (SCSP).

WebDAV Application DLL Hijacking

As a result of an incorrect dynamic link library  forWindows, an attacker can cause her malicious DLL to be loaded and executed from local drives, remote Windows shares, and even shares located on Internet. 

 
All a remote attacker has to do is plant a malicious DLL with a specific name on a network share and get the user to open a file from this network location. Since Windows systems by default have the Web Client service running - which makes remote network shares accessible via WebDAV, the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet. 
 
A systematic attack could deploy malicious code to a large number of Windows workstations in a short period of time, possibly as an Internet worm.
 
Exploitation of WebDAV Application DLL Hijacking
 
So lets start with exploitation of WebDAV Application DLL Hijacking Vulnerability in Windows.
 
1) I am using Unpatched Windows XP Professional SP2 and its IP address is 192.168.42.71 (Victim Machine).
 
    
 
2) I am using Metasploit Framework Community Edition for exploitation (Attacker Machine).
 
3) I am using WebDAV Application DLL Hijacker Exploit Present in Metasploit i.e exploit/windows/browser/webdav_dll_hijacker.
 
    
 
4) Now i have to Enter SRVHOST (Attacker Machine IP Address), EXTENSIONS and SHARENAME.
 
    
 
5) I am using windows/meterpreter/reverse_tcp payload.
 
6) Now i have to enter LHOST i.e Local Host (Attacker Machine IP Address)
 
    
 
7) Now Write Exploit and hit Enter. Now I successfully launched Attack.
 
    
 
Now there are two method to hack victim machine. 1st when our victim put attacker machine IP Address in his browser and 2nd is when our victim tries to access shared folder of Attacker Machine. Here I will show you with 2nd method.
 
8) When our victim accesses Shared Folder of Attacker Machine.
 
    
 
9) When our victim opens any file, In the background our exploit and payload successfully executed.
 
    
 
10) Attacker successuly gets the meterpreter session of Victim Machine.
 
     
 
11) Attacker successfully connected with Victim machine.
 
     
 
In next Part I will show you how to prevent exploitation of WebDAV Application DLL Hijacking Vulnerability in Windows with Symantec Critical System Protection (SCSP).

Comments 1 CommentJump to latest comment

alex_ng's picture

So, where is the next part where SCSP comes into the picture?

0
Login to vote