Misre-presentation host

February 8, 2021 in Living off the land, LOLBins

PresentationHost.exe is a known LOLBIN so I approached it with a caution.

To my surprise, I discovered that it accepts a number of command line arguments:

  • Embedding – running as a server (?)
  • Debug – enables debugging (see next point)
  • DebugSecurityZoneURL – specifies XBAP URL used for debugging as per this old article
  • Event – ?
  • LaunchApplication — launch ClickOnce application
  • RegServer – registers server
  • UnregServer – unregisters server

Apart from DebugSecurityZoneURL that may be useful in some scenarios, my attention focused on the LaunchApplication. Not because it can launch ClickOnce application, but because it… launches iexplore.exe if it cannot find anything to launch.

And as it turns out it relies on a environment variable value while resolving the path to iexplore.exe. In certain configurations (32-bit presentationhost.exe executed in a 64-bit environment) it allow us to launch application of our choice. That is, new lolbin is born.

If we fake the value of ProgramW6432

set ProgramW6432=c:\test

and then launch

c:\windows\syswow64\PresentationHost.exe foo

It will attempt to launch Internet Explorer\IEXPLORE.EXE from a folder ProgramW6432 refers to e.g. c:\test\Internet Explorer\IEXPLORE.EXE:

As a side note, I am providing a copy of the article I referred to just in case it disappears from web. archive.org:

Comments are closed.