May 23, 2020 in Living off the land, LOLBins

It turns out there is one more lolbin one can create that is subject to constrains described previously. And not only that — there is one more extra limitation in this case: only the 32-bit version of this executable exhibits lolbin properties.

When you run 64-bit msra.exe on a 64-bit system, it just starts as it should. But if you run a 32-bit version, it will detect that it runs on a 64-bit system and will immediately launch the 64-bit version. So, same as in the previous example, we just change the windir to our own path, and c:\test\system32\msra.exe will be executed. Note that we enforce the 32-bit msra.exe to be ran by using a full path pointing to SysWOW64 directory:

set windir=c:\test & c:\windows\syswow64\msra.exe

