When executed with these options, it will extract the .bat file stored inside its resources, save it as %TEMP%\\RoamDiag.cmd, and then it will execute it.<\/p>\n\n\n\n
There are at least two ways we can exploit it.<\/p>\n\n\n\n
We can create our own %TEMP%\\RoamDiag.cmd and make the SettingSyncHost.exe execute it, but there is a caveat. The .cmd file is always deleted and issues with that will stop program from working. Still, we could try a race condition approach i.e. run SettingSyncHost.exe with the parameters specified while at the same time we could run a batch file that overwrites %TEMP%\\RoamDiag.cmd with a content of our choice in a never ending loop. This could work, but I have not tested it.<\/p>\n\n\n\n
Why?<\/p>\n\n\n\n
Because there is an easier way. The batch file extracted from resources of SettingSyncHost.exe and saved as %TEMP%\\RoamDiag.cmd executes a number of OS programs including:<\/p>\n\n\n\n
- wevtutil<\/li>
- makecab<\/li>
- reg<\/li>
- ipconfig<\/li>
- settingsynchost.exe<\/li>
- tracelog<\/li><\/ul>\n\n\n\n
These programs are executed w\/o specifying a full path, and in most of cases – not even file extensions. So… we can literally create a malicious file named like any of these 6, drop them inside the %TEMP% directory (including settingsynchost.exe !) and launch them using the following syntax:<\/p>\n\n\n\n
cd %TEMP% & c:\\windows\\system32\\SettingSyncHost.exe -LoadAndRunDiagScript foo<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/02\/SettingSyncHost-1.gif\")
<\/a><\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"This native OS binary has two interesting options: -LoadAndRunDiagScript <name> -LoadAndRunDiagScriptNoCab <name> When executed with these options, it will extract the .bat file stored inside its resources, save it as %TEMP%\\RoamDiag.cmd, and then it will execute it. There are at … Continue reading