Category Archives: Living off the land

Stay positive Lolbins… not!

Posted on by

Update

After I posted this, a number of comments on Twitter followed; there was an interesting development from @sixtyvividtails:

Old Post

This is a quick bit on how to increase a number of available lolbins without much effort.

Well, we will just play with a syntax a bit 🙂

Many Lolbins rely on using rundl32.exe to launch functions from the susceptible libraries. A bit that is often forgotten is the fact APIs can be called not only by their names, but also ordinal numbers.

As such, a very well-known lolbin:

  • rundll32 advpack.dll, RegisterOCX calc.exe

(which in turns loads the advpack.dll, resolves its RegisterOCXW function before calling it with a ‘calc.exe’ argument) can take a form of:

  • rundll32 advpack.dll, #12 calc.exe

I checked on Windows XP, Windows 7, and Windows 10 and the ordinal is always the same. Using the same approach one can find similar syntax for other lolbins. Simple, but possibly evasive.

Oh wait… but this is not the end.

The Rundll32 takes ordinal numbers by using the following syntax:

#<number>

The <number> is converted from a string to an integer using a wtoi function. This API in turn accepts both positive and negative numbers.

Aha…

Knowing how positive and negative numbers are represented in memory, we can easily come up with a negative number that will be converted by wtoi to… a positive 12:

Try this:

  • rundll32 advpack.dll, #-4294967284 calc.exe

Btw. if you are wondering, ‘+’ prefix works too:

  • rundll32 advpack.dll, #+12 calc.exe

After playing with it a bit more, you can also add some additional stuff after the digits e.g.:

  • rundll32 advpack.dll, #-4294967284-foobar calc.exe

And yes, there is one moar… for 64-bit rundll you can run:

  • rundll32 advpack.dll, #-1152921504606846964 calc.exe

Happy hunting!

SettingSyncHost.exe as a LolBin

Posted on by

This native OS binary has two interesting options:

  • -LoadAndRunDiagScript <name>
  • -LoadAndRunDiagScriptNoCab <name>

When executed with these options, it will extract the .bat file stored inside its resources, save it as %TEMP%\RoamDiag.cmd, and then it will execute it.

There are at least two ways we can exploit it.

We can create our own %TEMP%\RoamDiag.cmd and make the SettingSyncHost.exe execute it, but there is a caveat. The .cmd file is always deleted and issues with that will stop program from working. Still, we could try a race condition approach i.e. run SettingSyncHost.exe with the parameters specified while at the same time we could run a batch file that overwrites %TEMP%\RoamDiag.cmd with a content of our choice in a never ending loop. This could work, but I have not tested it.

Why?

Because there is an easier way. The batch file extracted from resources of SettingSyncHost.exe and saved as %TEMP%\RoamDiag.cmd executes a number of OS programs including:

  • wevtutil
  • makecab
  • reg
  • ipconfig
  • settingsynchost.exe
  • tracelog

These programs are executed w/o specifying a full path, and in most of cases – not even file extensions. So… we can literally create a malicious file named like any of these 6, drop them inside the %TEMP% directory (including settingsynchost.exe !) and launch them using the following syntax:

cd %TEMP% & c:\windows\system32\SettingSyncHost.exe -LoadAndRunDiagScript foo