Wednesday, August 25, 2010

Better, Faster, Stronger: DLLHijackAuditKit v2

Via Metasploit Blog -

Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript, automatically kill spawned processes, reduce the memory usage by ProcMon, and automatically validate every result from the CSV log. The result is DLLHijackAuditKit v2. This kit greatly speeds up the identification process for vulnerable applications.

----------------------------------------

HD Moore and the guys over at Metasploit / Rapid7 have really put some work into this tool. The new version practically kills all the spawned processes and protects the running processes. After the initial audit, it attempts to verify each possible vulnerability and generates a POC exploit for each filetype found to be exploitable.

I took v2 of the tool for a spin on my Windows XP image this morning and it worked very well and with almost no need for my interaction. In the end, it only detected the Windows Address Book application as vulnerable, which means it failed to detect several applications that are known to be vulnerable - Office, Firefox, MS Internet Signup, and perhaps Winzip and Winamp.

HD Moore informed me this morning he is updating the current version of the audit tool which will include some bugfixes.

In addition, several groups have started attempts to track the list of vulnerable applications....

VUPEN - Security Advisories
http://vupen.com/english/searchengine.php?keyword=insecure+library+loading

Secunia - Security Advisories
http://secunia.com/advisories/search/?search=%22Insecure+Library+Loading+Vulnerability%22

Offensive Security - Exploit Database
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=DLL+Hijack&filter_author=&filter_platform=0&filter_type=0&filter_port=&filter_osvdb=&filter_cve=

DLL Hijacking - the Unofficial List
http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/

No comments:

Post a Comment