during our attack we will focus on one of these utilities MicroSoft Cross-Platform Audio Creation Tool (XACT) which is vulnerable to DLL Side-Loading we need to have ProcMon Sysinternals to start monitoring specific Application with our modified filter strings . so we have to specific process name and ends of paths with results out put

so after we have successfully activated out filter , you will notice on status bar about capturing events mode activated . Lets then open our application and explore the function to load a project file with extension `xap ` we have figured out that application is vulnerable when we are trying to open any xact3 project while our dll is placed on same directory

Exploitation POC

  • create an empty project with extension xap
  • place your malicious dll with vulnerable name xbdm.dll
  • successfully exploited the vulnerability

Lawrence Amer
offensive security expert and founder of 0xsp security research and development (SRD), passionate about hacking and breaking stuff, coder and maintainer of 0xsp-mongoose RED, and many other open-source projects