Skip to main content

Telerik Fiddler Application Privilege Escalation via Dll Hijacking

Fiddler application default installation path have write access by user.

And EnableLoopback feature is load dll files that doesn't exist . So , create malicious dll file to that folder and when you launch the WinConfig feature which in fiddler , malicious payload will execute.

Affected Executable file ,
EnableLoopback.exe ( privilege escalation )

Affected dll ,

Poc video :

More detail about Dll Hijacking,


Popular posts from this blog

Windows 10 LPE (UAC Bypass) in Windows Store (WSReset.exe)

I found one interesting post in medium which is  here  and i got some idea to bypass UAC .  And I notice windows store (wsrest.exe) which is enable access by user.  

and I copied it to Desktop and I check it at the process monitor .  I found some missing dll in that . 
Then, I start try to inject and Compile with above technique .  And I'm also wrote the exploit code in C .  

g0ttcha !!!  
exploit code that I wrote :
another registry method :

Thanks for reading .

local privilege escalation via steam client service

0day on steam

Steam Client Service can be started/stopped with user access and also "HKLM\SYSTEM\CurrentControlSet\Services\Steam Client Service" is full control for the Users group. So , attacker can add reg key to get privilege access.

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Steam Client Service" /v ImagePath /d "C:\windows\system32\cmd.exe /c echo pwned > C:\0day.txt"
net start "Steam Client Service"

And also default installation path is full access for user groups. So,
version.dll which is loaded by steam client service that doesn't exist can be hijacked by transferring malicious dll file rename as version.dll to steam installation path ( C:\Program Files (x86)\Steam\bin ) .

Dll Search Order Hijacking

version.dll name not found in process monitor. So copy malicious dll to installation bin path rename as version.dll . And reg key add to value as  "C:\Program Files (x86)\Steam\bin\SteamService.exe /RunAsService"


Privilege Escalation via Dll Hijacking in Steam Client Service

I've discovered the Dll Hijacking vulnerabilities of Steam Client Service. It loads (at least) version.dll from its application directory which is C:\Program Files (x86)\Steam .

Affect *.exe ,
steamservice.exe ( privilege escalation )
and some of other exe which have been installed by steam client. Affect dll ,
and other dll . Note: steamservice.exe can get privilege escalation access if the user is UAC disable . Impact : 
This occurs when an application fails to resolve a DLL because the DLL does not exist in the specified path or search directories. If this happens, a malicious Dll with the same name can be placed in the specified path directory leading to remote code execution. Let’s assume that the real dll contains a function called somefunc . The attacker could have written a function with the same name, but made it do something quite different such as deleting a file or modifying registry settings. The…