Windows application comprises of various folders and files. These files includes executables, dll and various other formats. A dll is loaded dynamically and the code of the dll is only executed by an executable. Many applications now a days do not verify the integrity and the authenticity of the dll due to which it is become quite common for attackers to replace the existing dll with a dll crafted with malicious code. This vulnerability is known as DLL hijacking.

The vulnerability arises from the fact that unlike executable files, a malicious dll is generally not detected by antivirus applications.

Here is the scenario to replicate this issue in a vulnerable application.

First we need a malicious dll. Just for demonstration we are simply using a malicious dll that shows a popup when the application is vulnerable.

In our case we are using a vulnerable application named Mezzmo version 5.0.5.0 which is vulnerable to dll hijacking. We need to identify the vulnerable dll. One simple way to do that is to try every dll in the application folder one by one. We tried replacing the file “avcodec-57.dll” with our malicious dll with the same name

As an attacker we can do this by creating a executable using winrar that extracts the file into the mezzmo directory and replaces the old one. We can create a silent one as shows in the screenshot below.

DLL Hijacking

When the mezzmo.exe is executes the dll also executes as shown in the below screenshot.

DLL Hijacking

Even after showing us the error the program executes just fine.

DLL Hijacking

In order to actually exploit this issue one can construct a dll using a metasploit that will provide us a reverse shell.