Search the Community

Spartacus is utilising the SysInternals Process Monitor and is parsing raw PML log files. You can leave ProcMon running for hours and discover 2nd and 3rd level (ie an app that loads another DLL that loads yet another DLL when you use a specific feature of the parent app) DLL Hijacking vulnerabilities. It will also automatically generate proxy DLLs with all relevant exports for vulnerable DLLs. Features Parsing ProcMon PML files natively. The config (PMC) and log (PML) parsers have been implemented by porting partial functionality to C# from [Hidden Content]. You can find the format specification here. Spartacus will create proxy DLLs for all missing DLLs that were identified. For instance, if an application is vulnerable to DLL Hijacking via version.dll, Spartacus will create a version.dll.cpp file for you with all the exports included in it. Then you can insert your payload/execution technique and compile. Able to process large PML files and store all DLLs of interest in an output CSV file. Local benchmark processed a 3GB file with 8 million events in 45 seconds. [Defence] Monitoring mode trying to identify running applications proxying calls, as in “DLL Hijacking in progress”. This is just to get any low-hanging fruit and should not be relied upon. [hide][Hidden Content]]

New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools. RottenPotatoDLL This project generates a DLL and EXE file. The DLL contains all the code necessary to perform the RottenPotato attack and get a handle to a privileged token. The MSFRottenPotatoTestHarness project simply shows example usage for the DLL. For more examples, see [Hidden Content], specifically the SeAssignPrimaryTokenPrivilege.cpp and SeImpersonatePrivilege.cpp files. RottenPotatoEXE This project is identical to the above, except the code is all wrapped into a single project/binary. This may be more useful for some penetration testing scenarios. Modify the "main" method in MSFRottenPotato.cpp to change what command will be run. By default it just runs cmd.exe to pop a command shell. [hide][Hidden Content]]

DLL Injector Hacker PRO – is a tool for injection of files dll to processes or (programs) this tool was specially designed for the injection of hacks, for games such as (Halo – Counter Strike – Swat – Nova – Mount Blade – Star War – ETC …) is easy to use and very efficient. [hide][Hidden Content]]

DLInjector for Graphical User Interface. Faster DLL Injector for processes. It targets the process name to identify the target. The process does not need to be open to define the target. DLInjector waits until the process executed. Firstly, enter the target process name with exe (chrome.exe, explorer.exe). And enter the to be injected DLL path (C:\malwDll.dll). Example Injection Process: V1 Features Only inject the DLL. Targeting process by name. If errors occurs, shows the error code. [hide][Hidden Content]]

EvilDLL v1.0 Malicious DLL (Win Reverse Shell) generator for DLL Hijacking [HIDE][Hidden Content]]

cryption android mono dll [Hidden Content]

Microsoft Font Subsetting DLL suffers from a heap-based out-of-bounds read vulnerability in FixSbitSubTableFormat1. View the full article

Microsoft Font Subsetting DLL suffers from a heap corruption vulnerability in MakeFormat12MergedGlyphList. View the full article

Microsoft Font Subsetting DLL suffers from a heap-based out-of-bounds read vulnerability in WriteTableFromStructure. View the full article

Microsoft Font Subsetting DLL suffers from a heap corruption vulnerability in ReadAllocFormat12CharGlyphMapList. View the full article

Microsoft Font Subsetting DLL suffers from a heap corruption vulnerability in ReadTableIntoStructure. View the full article

Microsoft Font Subsetting DLL suffers from a double free vulnerability in MergeFormat12Cmap / MakeFormat12MergedGlyphList. View the full article

Microsoft Font Subsetting DLL suffers from a heap-based out-of-bounds read vulnerability in GetGlyphIdx. View the full article

The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts. It has an issue where it returns a dangling pointer via MergeFontPackage. View the full article

There is a Microsoft Font Subsetting DLL heap corruption vulnerability in ComputeFormat4CmapData. View the full article

An issue has been discovered where the Microsoft Font Subsetting DLL (fontsub.dll) suffers from a heap-based out-of-bounds read vulnerability in MergeFonts. View the full article

Microsoft File Checksum Verifier version 2.05 suffers from a dll hijacking vulnerability. View the full article

Huawei eSpace version 1.1.11.103 suffers from a DLL Hijacking issue. The vulnerability is caused due to the application loading libraries (mfc71enu.dll, mfc71loc.dll, tcapi.dll and airpcap.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a related application file (.html, .jpg, .png) located on a remote WebDAV or SMB share. View the full article

VMware Workstation versions prior to 15.1.0 suffer from a dll hijacking vulnerability. View the full article

Exiftool version 8.3.2.0 suffers from a dll hijacking vulnerability. View the full article

This Metasploit module simplifies the rundll32.exe Application Whitelisting Bypass technique. The module creates a webdav server that hosts a dll file. When the user types the provided rundll32 command on a system, rundll32 will load the dll remotely and execute the provided export function. The export function needs to be valid, but the default meterpreter function can be anything. The process does write the dll to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV but does not load the dll from that location. This file should be removed after execution. The extension can be anything you'd like, but you don't have to use one. Two files will be written to disk. One named the requested name and one with a dll extension attached. View the full article

Intel Rapid Storage Technology User Interface and Driver version 15.9.0.1015 suffers from a dll hijacking vulnerability. View the full article

D-Link Central WiFiManager CWM-100 version 1.03 r0098 devices will load a trojan horse "quserex.dll" and will create a new thread running with SYSTEM integrity. View the full article

Dropbox version 54.5.90 suffers from a DLL hijacking vulnerability. View the full article

The Microsoft DirectX SDK "Xact3.exe" cross-platform tool allows for arbitrary code execution via a trojan horse file "xbdm.dll" in the current working directory, upon opening a ".xap" project file from the same location. View the full article