{"id":4816,"date":"2018-04-24T22:13:18","date_gmt":"2018-04-24T22:13:18","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4816"},"modified":"2018-04-24T22:13:18","modified_gmt":"2018-04-24T22:13:18","slug":"extexport-yet-another-lolbin","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/04\/24\/extexport-yet-another-lolbin\/","title":{"rendered":"ExtExport &#8211; yet another LOLBin"},"content":{"rendered":"<p>This is a quick &amp; dirty recipe how to load a DLL of your choice using a built-in tool ExtExport.exe that can be found inside the Internet Explorer directory:<\/p>\n<p><strong>Method #1<\/strong><\/p>\n<ul>\n<li>Drop a file named like one of these:\n<ul>\n<li>mozcrt19.dll<\/li>\n<li>mozsqlite3.dll<\/li>\n<li>sqlite3.dll<br \/>\ninside the c:\\test folder<\/li>\n<\/ul>\n<\/li>\n<li>Now run:\n<ul>\n<li>&#8220;C:\\Program Files\\Internet Explorer\\ExtExport.exe&#8221; c:\\test foo bar<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This will load one (or all) of these DLLs.<\/p>\n<p><strong>Method #2<\/strong><\/p>\n<p>The tool has more arbitrary DLL loading possibilities that allow to specify the name of the library directly from a command line.<\/p>\n<p>This method requires providing more arguments e.g.:<\/p>\n<ul>\n<li>ExtExport.exe c:\\Test\\test.dll 2 3 4 FIREFOX {00000000-0000-0000-0000-000000000000}<\/li>\n<\/ul>\n<p>I have not explored what other arguments mean but you can swap them with whatever you want to evade static detection; what matters is that the first argument must be a DLL name we want to load and the last argument must be a valid GUID presented in a form shown in a syntax above (acceptable by the IID\u00adFrom\u00adString function).<\/p>\n<p><strong>Method #3<br \/>\n<\/strong><\/p>\n<p>It&#8217;s actually a variant of the method 2 &#8211; we just need to swap &#8216;FIREFOX&#8217; with &#8216;360SE&#8217;:<\/p>\n<ul>\n<li>ExtExport.exe c:\\Test\\test.dll 2 3 4 360SE {00000000-0000-0000-0000-000000000000}<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This is a quick &amp; dirty recipe how to load a DLL of your choice using a built-in tool ExtExport.exe that can be found inside the Internet Explorer directory: Method #1 Drop a file named like one of these: mozcrt19.dll &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/04\/24\/extexport-yet-another-lolbin\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4816"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4816"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4816\/revisions"}],"predecessor-version":[{"id":4823,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4816\/revisions\/4823"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}