Rundll32 with a vbscript: protocol

October 29, 2019 in Anti-Forensics, Living off the land, LOLBins

Inspired by a question posted on Twitter by Tim, I tried to modify a well-known rundll32 javascript: trick (introduced by poweliks around July 2014 if I am not wrong) to use vbscript. I felt we should be able to make the code work the very same way as the JavaScript.

It turned out to be a bit tricky, because vbscript doesn’t seem to like any whitespace characters in the payload, including encoded spaces, new lines and carriage returns.

I eventually decided to follow a different path and focused on a fact that a first argument passed from this sneaky payload to VBScript interpreter is a string. And since strings can be not only commands, but also actual data bits that can be added together I tried doing so. Using a String function I encapsulated / casted the result of my calculator-launcher code to a string… and the trick worked like a charm:

Here’s a snippet:

rundll32 vbscript:”\..\mshtml,RunHTMLApplication “+String(CreateObject(“Wscript.Shell”).Run(“calc.exe”),0)

Comments are closed.