Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 5

March 15, 2018 in Anti-*, EDR, Living off the land, LOLBins

Update

After I posted it bohops provided one more variant:

rundll32.exe shdocvw.dll, OpenURL [path to file.url]

Thanks!

Old Post

This is nothing new, but just documenting for the sake of documenting.

It crossed my mind to look for all the DLLs that refer to OpenURL – an API that is exported by the url.dll – which is used to launch URLs (and was a subject of the first part of the series). I quickly discovered that ieframe.dll also exports identically named function; a quick googling around followed and I noticed it was a subject to previous analysis (CVE-2016-3353) – as a result, the vulnerability that allowed remote execution of code was patched.

Still, the built-in functionality can help to launch other programs via proxy e.g. using the .url file:

[InternetShortcut]
URL=file:///c:\windows\system32\calc.exe

and running:

rundll32 ieframe.dll, OpenURL <path to local URL file>

will launch calculator.

 

Share this :)

Comments are closed.