{"id":7684,"date":"2021-02-05T23:41:33","date_gmt":"2021-02-05T23:41:33","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7684"},"modified":"2021-02-06T10:23:50","modified_gmt":"2021-02-06T10:23:50","slug":"desperate-downloader-lolbin","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2021\/02\/05\/desperate-downloader-lolbin\/","title":{"rendered":"Desperate downloader lolbin"},"content":{"rendered":"\n

I was toying around with the Office application MSOXMLED.EXE and noticed it handles URLs. Thanks to that it can be used to download file to internet cache folder as shown below:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

There are at least two different ways to invoke it:<\/p>\n\n\n\n

MSOXMLED.EXE \/verb open [URL]
MSOXMLED.EXE \/verb [anything] \/genverb open [URL]<\/pre>\n\n\n\n
and the file is being downloaded to the InetCache folder:<\/p>\n\n\n\n
c:\\Users\\[user]\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Low\\IE\\[random]\\[file]<\/pre>\n\n\n\n
The caveat is that it seems to be using Internet Explorer as a proxy, hence the iexplore.exe will be spawn. As such it doesn’t work on systems where IE is removed (thx to @NathanMcNulty<\/a> for confirming this and reminding me about two different paths below).<\/p>\n\n\n\n
The actual MSOXMLED.EXE binary is located in these two places (64- and 32-bit version):<\/p>\n\n\n\n