DirectX Software Development Kit(SDK) RCE Exploitation

This DirectX SDK release contains updates to tools, utilities, samples, documentation, and runtime debug files for x64 and x86 platforms. Microsoft DirectX is a collection of application programming interfaces (APIs) for handling tasks related to multimedia, especially game programming and video, on Microsoft platforms

https://www.microsoft.com/en-us/download/details.aspx?id=6812

during our attack we will focus on one of these utilities MicroSoft Cross-Platform Audio Creation Tool (XACT) which is vulnerable to DLL Side-Loading

we need to have ProcMon Sysinternals to start monitoring specific Application with our modified filter strings . so we have to specific process name and ends of paths with results out put

so after we have successfully activated out filter , you will notice on status bar about capturing events mode activated .

Lets then open our application and explore the function to load a project file with extension xap

we have figured out that application is vulnerable when we are trying to open any xact3 project while our dll is placed on same directory

Exploitation POC

  • create an empty project with extension xap

  • place your malicious dll with vulnerable name xbdm.dll

  • successfully exploited the vulnerability

Reference