You are browsing the archive for LOLBins.

acw.exe – perhaps the last true Lolbin standing…

August 19, 2018 in Living off the land, LOLBins

As I mentioned I won’t be covering lolbins anymore until I find something new/interesting.

I guess an OS-native rundll32.exe replacement is kinda interesting, especially that it seems to be present by default on some Windows Server installations (e.g. 2008) and sometimes is installed by other software.

The binary in question is part of a Guided Help a.k.a. Active Content Wizard component and the .exe in question is acw.exe.

It has a nice command line argument that allows us to load and execute any DLL:

  • %systemroot%\system32\acw.exe -Extensions <dll>

Known locations of acw.exe are:

  • c:\Program Files\ACW\acw.exe
  • c:\windows\system32\acw.exe
  • c:\windows\syswow64\acw.exe

A few more LOLBins…

August 17, 2018 in Living off the land, LOLBins

There are a few more quick wins for loading DLLs using native .exe files from Windows 10… courtesy of good ol’ LoadLibraryA e.g.:

  • fixmapi.exe
    • Copy c:\WINDOWS\System32\fixmapi.exe to your folder
    • Drop malicious mapistub.dll there
    • Run fixmapi.exe
  • mshta.exe
    • Copy c:\WINDOWS\System32\mshta.exe to your folder
    • Drop malicious WLDP.DLL there
    • Run mshta.exe
  • mshta.exe
    • Temporary change HKCR\clsid\
      {25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32
      to point to malicious DLL
    • Run mshta.exe
    • Restore the Registry entry

This is obviously not the end.

There are so many potentials that it gets really boring to enumerate all this stuff:

  • Apart from LoadLibraryA, there is LoadLibraryW which is very prevalent.
  • There are cases of LoadLibraryExA and LoadLibraryExW that still use parameters that allow abuse.
  • There are also functions that allow environment variables to resolve paths for libraries they load – bad choice.
  • Pretty much every single .exe that is dependent on statically linked DLLs that are not on the KnownDLL list may be used as a lolbin e.g.
    • certutil.exe relies on certcli.dll
      • certcli.dll in turn relies on certca.dll
        so you can just produce DLLs that include all the exported functions like the original ones and let the certutil.exe load them.
  • And there are non-OS binaries that are highly prevalent in various environments that offer lots of opportunities for side-loading or proxy execution.

The possibilities are almost endless. Unless I find something really new/cool I won’t be posting about Lolbins anymore as at this stage I am bored with it 🙂