Yes, I've found it too.
On Thu, Sep 2, 2010 at 12:05 PM, p8x <l...@p8x.net> wrote: > Hi Christian, > > I noticed MS pushed out an update a couple of days ago - on the PC's > that have had the update applied the POC does not work for me, where as > an unpatched machine the POC works. > > Has that update been installed? > > p8x > > On 2/09/2010 7:43 AM, Christian Sciberras wrote: >> I wrote my own example POC. >> >> The files described herein can be found at: >> http://www.megafileupload.com/en/file/264741/DHPOC-zip.html >> >> The above zip files contains: binaries, sources, example (folder structure) >> >> The source code is in Pascal, written in Lazarus to be precise. >> >> There are 3 executables: dhpocApp.exe, dhpocDll.good.dll, dhpocDll.bad.dll >> The 2 dlls are renamed to dhpocDll.dll during tests (the example structure): >> >> DHPOC\example\the-install-folder\ >> DHPOC\example\the-install-folder\dhpocApp.exe >> DHPOC\example\the-install-folder\dhpocDll.dll >> DHPOC\example\the-remote-folder >> DHPOC\example\the-remote-folder\example.dhpoc >> DHPOC\example\the-remote-folder\dhpocDll.dll >> >> While testing this, I noticed that the dll hijack exploit completely >> failed my tests (on Windows 7 64bit). >> That is, the dll inside the-remote-folder was never loaded, that is, >> even when example.dhpoc was opened. >> Also not that in order to fully test it out, I also chdir'd to the >> target file directory, ie, the-remote-folder; to no avail. >> >> The only way I got it working was by renaming/deleting dhpocDll.dll in >> the-install-folder to something else, in which case running >> dhpocApp.exe failed while opening example.dhpoc caused the bad dll to >> load. >> >> Finally, I tried testing the zip issue mentioned lately. >> >> With everything set up correctly (zipped the-remote-folder and >> the-install-folder uncompressed), it worked as expected, ie the good >> dll was loaded. >> After removing the dll from the-install-folder, the program ceased to >> work correctly, ie, it neither loaded the zipped dll nor could it load >> the initial dll. >> >> >> >> >> I ran these tests and wrote this code under an hour, so I can >> guarantee there might be serious flaws around, or things which I >> should have tested but didn't. >> So far, I've ran these tests twice, so unless I've got a software >> fault (which somehow made the software secure?!), this dll hijack >> issue is either a thing of the best, pretty rare, or, pretty much >> useless (consider the recent POC where the user was required to open a >> contact book several before it hopefully worked...). >> >> >> >> Cheers, >> Christian Sciberras. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/