VS2005_vcredist_x86.exe as a LOLBIN

May 22, 2019 in Living off the land, LOLBins

This is a completely random find. I was installing this old package on a test system, and out of habit checked if it takes any command line arguments. It actually does:

This is too good to be true. Guess what happens when you run:

VS2005_vcredist_x86.exe /q /c:c:\windows\system32\calc.exe

btw. it doesn’t work for newer ones:

  • VS2008_vcredist_x86.exe
  • VS2010_vcredist_x86.exe
  • VS2013_vcredist_x86.exe

There may be some possibilities for VS2010_vcredist_x86.exe as it takes a lot of different command line arguments:

To be precise, these options are actually taken by setup.exe after the VS2010_vcredist_x86.exe unpacks files to c:\<random hex> folder.

Just a quick code review of various versions of redistributable installers immediately highlights plenty of ideas for sideloading as well e.g. signed install.exe from VS2008_vcredist_x86.exe loads one of the language-specific resource DLLs placed in the same directory via LoadLibrary, hence they can be swapped with a payload DLL:

  • install.res.1028.dll
  • install.res.1031.dll
  • install.res.1033.dll
  • install.res.1036.dll
  • install.res.1040.dll
  • install.res.1041.dll
  • install.res.1042.dll
  • install.res.2052.dll
  • install.res.3082.dll

And last update: it turns out that VS2005_vcredist_x86.exe was packaged with IExpress Setup, so any installer from that era created with iexpress.exe should have a lolbin functionality.

Update

After I posted this piece Stefan Kanthak pointed me to his older research from 2015 that actually describes the very same issue + discussed the UAC bypass that can be achieved via this method as well. Nice work!

Share this :)

Comments are closed.