-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==========================================================================
==========================================================================
Wireshark 1.4.1 (dumpcap.exe) dll hijacking reloaded
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on:
Windows 7 professional full patched
==========================================================================
==========================================================================
DESCRIPTION:
I think this is just a logic flaw, infact this program is still
vulnerable to dll hijacking simply creating, in the same folder of
one of below listed files, these folders:
"%commonprogramfiles%\microsoft shared\windows live"
and then put into "windows live" folder our dll.
E.g.
C:\>dir /S test
Volume in drive C has no label.
Volume Serial Number is XXXX-YYYY
Directory of C:\test
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 11:29 <DIR> %commonprogramfiles%
07/10/2010 13:22 8 test.xspf
1 File(s) 8 bytes
Directory of C:\test\%commonprogramfiles%
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 11:29 <DIR> microsoft shared
0 File(s) 0 bytes
Directory of C:\test\%commonprogramfiles%\microsoft shared
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 11:29 <DIR> windows live
0 File(s) 0 bytes
Directory of C:\test\%commonprogramfiles%\microsoft shared\windows live
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 09:36 14,336 airpcap.dll
1 File(s) 14,336 bytes
==========================================================================
==========================================================================
INFO:
Prg.: dumpcap.exe
Ver.: 1.4.1.34476
Ext.: 5vw
5vw
acp
acp
apc
apc
atc
atc
bfr
bfr
enc
enc
erf
erf
fdc
fdc
pcapng
pcapng
pcap
pcap
pkt
pkt
snoop
snoop
syc
syc
trace
trace
trc
trc
wpc
wpc
wpz
wpz
dll: airpcap.dll
tcapi.dll
==========================================================================
==========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iQIcBAEBAgAGBQJMtvQiAAoJELleC2c7YdP1Ge4P/j1G11W9+BI9Pxmg3ueYqoj+
iLbmeV4YrQzI6jGghzW8de4cAs0h547H6g1Kzvi3YGjYgbXXI9OuqgakZuYL6Ky/
PY6t5VW9qsW7cqkVnBPzmLjJb+YUQTwUxBdQkibEs2HHklNzGo8ZnlWqn6hBq2a2
mvTwRN9CS6ozkVxT19U3fuvfn5T0CC/YQTLfCC8HaN0VDQLbExSTIzJq9nbRy7RU
COU32AzZD8VdaX0ECJHoeagJXVId4bY7a2qWp8FU62B+6AmrmZxFYm8Z3B0rRX4u
mkzIMMbsZQ6eExj0+xKK0IQKP8GUw7LJXgPlp4ouqBGAJkj2x29SBsL2hbEUefww
V4XJcFxp+hq5EEJRs8yYZDwUw6luVeJLtr0f1zEq84j3LopscK8Bvn8hodSTBgIz
Thxjgvzlw/hhlaY79A7iHhLrLifioBuvpEVCzb0RP9B3yNXb4P+TPIM4bgQFGAiS
+qJibcq1/JfDoGdr0kSOFwyu6+Iu+zo1n5iYOr6lMHjHVeKdQpmEAkBATY15JDhb
FkA3/xoA0e8BKMOd8AsW3nY9C/bM6O6BPVgWs0cyTEIrj9Xaxbew++eQ4xqSeHtq
f8/a9KzjhRHeptuFxRcLpZGJFK5V9pNmX9qeOxd3/s+2eFm6BHfEQsFR7RzuLcRV
al2rKyW7AhQ+ECflRV33
=CPYt
-----END PGP SIGNATURE-----