Most of my favorite sideloading techniques rely on some old and kinda obscure localisation\/test features embedded in various programming frameworks.<\/p>\n\n\n\n
This post touches on yet another one of these.<\/p>\n\n\n\n
When you launch this function:<\/p>\n\n\n\n
rundll32 cliconfg.dll, OnInitDialogMain<\/pre>\n\n\n\nthe code of the DllMain of this DLL library will try to find the following localisation RLL files:<\/p>\n\n\n\n
What is surprising though, these files are loaded via a regular LoadLibrary<\/em> call, which obviously leads to a code execution…<\/p>\n\n\n\n So, placing your payload in any of these two RLL files, and executing any of the APIs exported by cliconfg.dll<\/em>, will lead to loading and execution of these payloads. And if you know how rundll32.exe<\/em> works, and paid attention to the bit mentioning DllMain being responsible for loading these localisation libraries, you know that we can specify any API name, or ordinal number, and get the payload execution anyway, As such, as long as our RLL files are in place, any of the below invocations will load the payload:<\/p>\n\n\n\n Most of my favorite sideloading techniques rely on some old and kinda obscure localisation\/test features embedded in various programming frameworks. This post touches on yet another one of these. When you launch this function: rundll32 cliconfg.dll, OnInitDialogMain the code of … Continue reading rundll32 cliconfg.dll, foo\nrundll32 cliconfg.dll, bar\nrundll32 cliconfg.dll, #1\nrundll32 cliconfg.dll, #3948794357847857<\/pre>\n","protected":false},"excerpt":{"rendered":"