As I mentioned I won’t be covering lolbins anymore until I find something new/interesting.
I guess an OS-native rundll32.exe replacement is kinda interesting, especially that it seems to be present by default on some Windows Server installations (e.g. 2008) and sometimes is installed by other software.
The binary in question is part of a Guided Help a.k.a. Active Content Wizard component and the .exe in question is acw.exe.
It has a nice command line argument that allows us to load and execute any DLL:
- %systemroot%\system32\acw.exe -Extensions <dll>
Known locations of acw.exe are:
- c:\Program Files\ACW\acw.exe
- c:\windows\system32\acw.exe
- c:\windows\syswow64\acw.exe