{"id":5270,"date":"2018-08-17T21:59:58","date_gmt":"2018-08-17T21:59:58","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5270"},"modified":"2018-08-17T21:59:58","modified_gmt":"2018-08-17T21:59:58","slug":"a-few-more-lolbins","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/08\/17\/a-few-more-lolbins\/","title":{"rendered":"A few more LOLBins&#8230;"},"content":{"rendered":"<p>There are a few more quick wins for loading DLLs using native .exe files from Windows 10&#8230; courtesy of good ol&#8217; LoadLibraryA e.g.:<\/p>\n<ul>\n<li>fixmapi.exe\n<ul>\n<li>Copy c:\\WINDOWS\\System32\\fixmapi.exe to your folder<\/li>\n<li>Drop malicious mapistub.dll there<\/li>\n<li>Run fixmapi.exe<\/li>\n<\/ul>\n<\/li>\n<li>mshta.exe\n<ul>\n<li>Copy c:\\WINDOWS\\System32\\mshta.exe to your folder<\/li>\n<li>Drop malicious WLDP.DLL there<\/li>\n<li>Run mshta.exe<\/li>\n<\/ul>\n<\/li>\n<li>mshta.exe\n<ul>\n<li>Temporary change HKCR\\clsid\\<br \/>\n{25336920-03f9-11cf-8fd0-00aa00686f13}\\InProcServer32<br \/>\nto point to malicious DLL<\/li>\n<li>Run mshta.exe<\/li>\n<li>Restore the Registry entry<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This is obviously not the end.<\/p>\n<p>There are so many potentials that it gets really boring to enumerate all this stuff:<\/p>\n<ul>\n<li>Apart from LoadLibraryA, there is LoadLibraryW which is very prevalent.<\/li>\n<li>There are cases of LoadLibraryExA and LoadLibraryExW that still use parameters that allow abuse.<\/li>\n<li>There are also functions that allow environment variables to resolve paths for libraries they load &#8211; bad choice.<\/li>\n<li>Pretty much every single .exe that is dependent on statically linked DLLs that are not on the KnownDLL list may be used as a lolbin e.g.\n<ul>\n<li>certutil.exe relies on certcli.dll\n<ul>\n<li>certcli.dll in turn relies on certca.dll<br \/>\nso you can just produce DLLs that include all the exported functions like the original ones and let the certutil.exe load them.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>And there are non-OS binaries that are highly prevalent in various environments that offer lots of opportunities for side-loading or proxy execution.<\/li>\n<\/ul>\n<p>The possibilities are almost endless. Unless I find something really new\/cool I won&#8217;t be posting about Lolbins anymore as at this stage I am bored with it \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There are a few more quick wins for loading DLLs using native .exe files from Windows 10&#8230; courtesy of good ol&#8217; LoadLibraryA e.g.: fixmapi.exe Copy c:\\WINDOWS\\System32\\fixmapi.exe to your folder Drop malicious mapistub.dll there Run fixmapi.exe mshta.exe Copy c:\\WINDOWS\\System32\\mshta.exe to your &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/08\/17\/a-few-more-lolbins\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5270"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5270"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5270\/revisions"}],"predecessor-version":[{"id":5273,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5270\/revisions\/5273"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}