Installers – Interactive Lolbins

April 18, 2019 in File Formats ZOO, Living off the land, LOLBins

Update

After I published it n00py1 sent me a link to this post by NinjaStyle82. So, not a silly idea at all, and it actually allows to get a privilege escalation in some cases as well.

Old Post

This is another way to launch your binary via proxy. It’s very ugly as it generates a lot of noise, but if you have an interactive access to the box, perhaps it could work…

As usual, the idea is simple and is basically a variant of a classic con known as a bait and switch. It will work as long as the installer offers the below final screen at the end of the Installation Wizard (a check box that makes it launch the program):

Note that many installers install to Program Files paths by default, and nowadays these are not accessible to normal users (UAC popup shows up). So to pull this trick off w/o raising a suspicion one could change that destination path to a folder controlled by an attacker e.g. somewhere under c:\users.

Files in this ‘controlled’ folder will most likely not have restrictive ACLs (after being dropped). Once all files are there, but before we launch the final application via GUI, it is at that moment when you have to replace the main executable with your own binary. Then just click Finish and your program of choice will be executed, as if a part of the setup process (and lolbinned since the parent is a signed application).

There are possibly other variants of this – ones that involve swapping DLLs that often are registered or unregistered by the setup programs. This may require winning a race condition though (you need to swap the DLL after it’s written to disk, but before the DLL loading happens). And yet another variant could just swap the existing (installed) uninstaller program and then run Setup program to ‘uninstall’ the application…

It’s superlame and unpractical. But sometimes it’s the stupid things that work best.

Share this :)

Comments are closed.