Postpone your Marriage plans and Deal with the Hack first

If you think i am lazy with my posts, Hell Yeah! you are absolutely correct. Sometimes I feel 24-hours in a day are just not enough. I have ton of things to care about in life, things such as my family and my work, my friends who are like my family. I delivered my last session on 10th (if i remember correctly) in my very own Alma mater  i.e. Lovely professional university and it was a great experience as always. Due to the nature of audience(students), i tried keeping a little technical yet important topic which was "DLL Search Order Hijacking". The reason i chose this topic over others is that this may sound interesting yet simple to the upcoming ninjas of my university.

I have to admit, i keep searching about my books on the internet everyday, filtering them out through countries and time to check if they are being leaked anywhere on the internet and what i found one day was that being an author, i have been indexed by google with a knowledge graph. However, i felt disappointed seeing my age alongside my name :( First time in my life, i felt like if google is pretending to be my mother who keeps giving me a reality check on the age and marriage suggestions. Things became worse when some popular matrimonial website started following me on twitter. Well, finally i made up my mind and asked my mother to sign up for some popular matrimony sites. Suddenly, we started receiving ton of calls and what all people required was a KUNDLI (This is a popular Indian document which is more powerful than all your certifications / Degrees/ Diplomas/ Letter of Recommendations, All TOGETHER) i mean this document, as soon as it gets printed controls your fortune, destiny, karma, sins and what not. If you are confused and don't have an idea what the hell i am talking about, this document is related to astrology which is used for match making.

So, we found someone locally who can get this document printed based on my DOB, place of birth, name etc. Accidentally, the guy who printed was running the software right in front of my evil eyes which kept staring at his cracked and no longer supported operating system which is none other than the legendary Windows XP. I kept looking and thinking about ms08_067_netapi (which made me happy obviously). However, then popped a software which actually generated the book of my life(Kundli) and the software was Kundli Pro(Also known as Kundli for Windows).

I came back home and downloaded this software from the internet and started looking for a potential vulnerability. I found some low hanging BOFs but i wanted to evade any possibilities of suspicion. I fired up my procmon (Process Monitor) and ran filters on the KUNDLI software as shown in the following screen:

Hmm... Interesting. If you have no idea what DLL Search order hijacking is, better get your googling skills into play. Anyways, the software tries to load the VB5.DLL while running. However, the vulnerability is that it starts from the current folder. This means it first looks in its own directory which is located in Program files and then when it doesn't find one, it goes to the system32 folder and loads it. This means that if anyhow the software is shipped with the VB5.dll as a package. it will never load the other one from system32. Next, what we can do is to simply create a meterpreter backdoor in a .dll format, rename it as VB5.dll and place it in the software folder and re-run the software as shown in the following screen:

Re-running the software will provide us with a meterpreter shell. However, the software will crash which may cause suspicion as shown in the following screen:

 At this point what we can do is to simply download the DLL file from some popular DLL sharing site(Original) and backdoor the original file though a code cave as shown in the following screen:

 Let's re-run the software and check if something changed:

We can see that the software loaded the DLL with ease from the current directory itself. Let's check our meterpreter handler:

Bang! we got the access to the target with no suspicion at all. Achieving this point, i could do ton of things such as:

1. Re-Packing the software with the infected DLL file and distributing it over the internet
2. Packing the software with a crypto miner and make tons of cash
3. Cause harm to the infected people by breaching there privacy
4. Locking their systems with a ransomware
5. Ask my matches at JeevanSathi and Shaadi.com to install the software :P This could have been Fun!!!

However, i choose to disclose this vulnerability right here at my blog and this is the exact reason why you shouldn't use cracked software. This tutorial was for educational purposes only. Please do not harm anyone.

References and Tools used:

1. https://github.com/secretsquirrel/the-backdoor-factory
2. https://www.metasploit.com/
3. https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
4. https://attack.mitre.org/wiki/Technique/T1038
5. Original PPT: https://www.slideshare.net/nipunjaswal/hijacking-softwares-for-fun-and-profit
6. For Metasploit Tutorials you can buy my books here ( This is self promotion :P, i think i can do that, its my blog right :P)