Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit

Title: Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit
Advisory ID: ZSL-2010-4952
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.08.2010
Summary
The ExtendScript Toolkit (ESTK) 3.5.0 is a scripting utility included with Adobe® Creative Suite CS5 and other Adobe applications. The ESTK is used for creating, editing, and debugging JavaScript to be used for scripting Adobe applications.
Description
Adobe ExtendScript Toolkit CS5 suffers from a dll hijacking vulnerability that enables the attacker to execute arbitrary code on a local level. The vulnerable extension is .jsx thru dwmapi.dll library.
Vendor
Adobe Systems Inc. - http://www.adobe.com
Affected Version
CS5 v3.5.0.52 ExtendScript 4.1.23 ScriptUI 5.1.37
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
N/A
PoC
adobeest_dll.c
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/14785
[2] http://packetstormsecurity.org/filedesc/adobeest_dll.txt.html
[3] http://securityreason.com/exploitalert/8780
[4] http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
[5] http://www.exploit-db.com/dll-hijacking-vulnerable-applications/
[6] http://www.vupen.com/english/advisories/2010/2213
[7] http://osvdb.org/show/osvdb/67550
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3155
[9] http://www.securityfocus.com/bid/42749
Changelog
[26.08.2010] - Initial release
[27.08.2010] - Added reference [1], [2], [3], [4] and [5]
[28.08.2010] - Added reference [6] and [7]
[31.08.2010] - Added reference [8]
[13.11.2010] - Added reference [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk