Yet another secret of hosts file

Posted on by

In my old post I mentioned not a very well known hosts.ics file. Today I cover one more secret that I stumbled upon while digging inside DNS API internals.

Turns out that dnsapi.dll and dnsrslvr.dll use an internal function called Util_IsRunningOnXboxOne to determine if the DLL is loaded on a XBOX system. And if it is, the path to hosts and host.ics files will not be resolved as relative to the path retrieved via GetSystemDirectory API, but by using a hard-coded XBOX path below:

s:\windows\system32

So, in theory, if you patch Util_IsRunningOnXboxOne function to return 1 (XBOX) you should be able to redirect local DNS requests via hosts(.ics) files to the following paths, respectively:

s:\windows\system32\drivers\etc\hosts
s:\windows\system32\drivers\etc\hosts.ics

Last, but not least – in case you don’t know, the hosts files can be saved using UTF-8, Unicode16-LE, and Unicode16-BE encoding (BOM is being checked).

Misre-presentation host

Posted on by

PresentationHost.exe is a known LOLBIN so I approached it with a caution.

To my surprise, I discovered that it accepts a number of command line arguments:

  • Embedding – running as a server (?)
  • Debug – enables debugging (see next point)
  • DebugSecurityZoneURL – specifies XBAP URL used for debugging as per this old article
  • Event – ?
  • LaunchApplication — launch ClickOnce application
  • RegServer – registers server
  • UnregServer – unregisters server

Apart from DebugSecurityZoneURL that may be useful in some scenarios, my attention focused on the LaunchApplication. Not because it can launch ClickOnce application, but because it… launches iexplore.exe if it cannot find anything to launch.

And as it turns out it relies on a environment variable value while resolving the path to iexplore.exe. In certain configurations (32-bit presentationhost.exe executed in a 64-bit environment) it allow us to launch application of our choice. That is, new lolbin is born.

If we fake the value of ProgramW6432

set ProgramW6432=c:\test

and then launch

c:\windows\syswow64\PresentationHost.exe foo

It will attempt to launch Internet Explorer\IEXPLORE.EXE from a folder ProgramW6432 refers to e.g. c:\test\Internet Explorer\IEXPLORE.EXE:

As a side note, I am providing a copy of the article I referred to just in case it disappears from web. archive.org: