This is a completely random find. I was installing this old package on a test system, and out of habit checked if it takes any command line arguments. It actually does:
This is too good to be true. Guess what happens when you run:
VS2005_vcredist_x86.exe /q /c:c:\windows\system32\calc.exe
btw. it doesn’t work for newer ones:
There may be some possibilities for VS2010_vcredist_x86.exe as it takes a lot of different command line arguments:
To be precise, these options are actually taken by setup.exe after the VS2010_vcredist_x86.exe unpacks files to c:\<random hex> folder.
Just a quick code review of various versions of redistributable installers immediately highlights plenty of ideas for sideloading as well e.g. signed install.exe from VS2008_vcredist_x86.exe loads one of the language-specific resource DLLs placed in the same directory via LoadLibrary, hence they can be swapped with a payload DLL:
And last update: it turns out that VS2005_vcredist_x86.exe was packaged with IExpress Setup, so any installer from that era created with iexpress.exe should have a lolbin functionality.
After I posted this piece Stefan Kanthak pointed me to his older research from 2015 that actually describes the very same issue + discussed the UAC bypass that can be achieved via this method as well. Nice work!