Category Archives: LOLBins

SettingSyncHost.exe as a LolBin

Posted on by

This native OS binary has two interesting options:

  • -LoadAndRunDiagScript <name>
  • -LoadAndRunDiagScriptNoCab <name>

When executed with these options, it will extract the .bat file stored inside its resources, save it as %TEMP%\RoamDiag.cmd, and then it will execute it.

There are at least two ways we can exploit it.

We can create our own %TEMP%\RoamDiag.cmd and make the SettingSyncHost.exe execute it, but there is a caveat. The .cmd file is always deleted and issues with that will stop program from working. Still, we could try a race condition approach i.e. run SettingSyncHost.exe with the parameters specified while at the same time we could run a batch file that overwrites %TEMP%\RoamDiag.cmd with a content of our choice in a never ending loop. This could work, but I have not tested it.

Why?

Because there is an easier way. The batch file extracted from resources of SettingSyncHost.exe and saved as %TEMP%\RoamDiag.cmd executes a number of OS programs including:

  • wevtutil
  • makecab
  • reg
  • ipconfig
  • settingsynchost.exe
  • tracelog

These programs are executed w/o specifying a full path, and in most of cases – not even file extensions. So… we can literally create a malicious file named like any of these 6, drop them inside the %TEMP% directory (including settingsynchost.exe !) and launch them using the following syntax:

cd %TEMP% & c:\windows\system32\SettingSyncHost.exe -LoadAndRunDiagScript foo

how to be a bad ctor

Posted on by

If you have any app installed that utilizes InstallShield for deployment the chances are that you may have a Ctor.dll file present on the system.

The nice bit about this library is that it exports a function called LaunchSetup. You can pass any file name to it and you will have it running in no time; that is:

RunDll32.exe c:\test\ctor.dll, LaunchSetup <program>

There is one caveat though. You won’t be able to run Calculator or Notepad applications this way. This is because the function makes a copy of the program file provided from command line to the %TEMP% directory first, and launches it from there. As such, programs that rely on .MUI files to run (e.g. OS GUI-based programs like Notepad, Calculator) need them to be copied to that very same %TEMP% folder as well. But running Calc is not really the point of LOLBINS, isn’t it? 😉

Typical ctor.dll locations:

  • C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll
  • C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\<number>\Intel32\Ctor.dll
  • C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\<number>\<number>\Intel32\Ctor.dll