Home

Awesome

iscsicpl autoelevate DLL Search Order hijacking UAC Bypass 0day

The iscsicpl.exe binary is vulnerable to a DLL Search Order hijacking vulnerability when running 32bit Microsoft binary on a 64bit host via SysWOW64. The 32bit binary, will perform a search within user %Path% for the DLL iscsiexe.dll. This can be exploited using a Proxy DLL to execute code via "iscsicpl.exe" as autoelevate is enabled. This exploit has been tested against the following versions of Windows desktop:

Usage

iscsicpl_bypassUAC.exe "reg save hklm\sam C:\xx\sam.hive"

iscsicpl_bypassUAC.exe "C:\Windows\System32\cmd.exe"

These files are available under a Attribution-NonCommercial-NoDerivatives 4.0 International license.