You are browsing the archive for Living off the land.

Installers – Interactive Lolbins, Part 2

April 19, 2019 in File Formats ZOO, Living off the land, LOLBins

In my previous post I forgot to mention one important type of installers – Portable Apps.

Their main .exes are signed, and they launch a very specific application from a predictable folder. So, all you have to do is for e.g. Portable Firefox:

  • Drop legitimate signed FirefoxPortable.exe
  • then add App\firefox\firefox.exe of your choice

and then launch the signed portable .exe.

Installers – Interactive Lolbins

April 18, 2019 in File Formats ZOO, Living off the land, LOLBins

This is another way to launch your binary via proxy. It’s very ugly as it generates a lot of noise, but if you have an interactive access to the box, perhaps it could work…

As usual, the idea is simple and is basically a variant of a classic con known as a bait and switch. It will work as long as the installer offers the below final screen at the end of the Installation Wizard (a check box that makes it launch the program):

Note that many installers install to Program Files paths by default, and nowadays these are not accessible to normal users (UAC popup shows up). So to pull this trick off w/o raising a suspicion one could change that destination path to a folder controlled by an attacker e.g. somewhere under c:\users.

Files in this ‘controlled’ folder will most likely not have restrictive ACLs (after being dropped). Once all files are there, but before we launch the final application via GUI, it is at that moment when you have to replace the main executable with your own binary. Then just click Finish and your program of choice will be executed, as if a part of the setup process (and lolbinned since the parent is a signed application).

There are possibly other variants of this – ones that involve swapping DLLs that often are registered or unregistered by the setup programs. This may require winning a race condition though (you need to swap the DLL after it’s written to disk, but before the DLL loading happens). And yet another variant could just swap the existing (installed) uninstaller program and then run Setup program to ‘uninstall’ the application…

It’s superlame and unpractical. But sometimes it’s the stupid things that work best.