{"id":7696,"date":"2021-02-08T23:34:12","date_gmt":"2021-02-08T23:34:12","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7696"},"modified":"2021-02-08T23:34:12","modified_gmt":"2021-02-08T23:34:12","slug":"misre-presentation-host","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2021\/02\/08\/misre-presentation-host\/","title":{"rendered":"Misre-presentation host"},"content":{"rendered":"\n<p>PresentationHost.exe is a <a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Presentationhost\/\">known<\/a> LOLBIN so I approached it with a caution. <\/p>\n\n\n\n<p>To my surprise, I discovered that it accepts a number of command line arguments:<\/p>\n\n\n\n<ul><li>Embedding &#8211; running as a server (?)<\/li><li>Debug &#8211; enables debugging (see next point)<\/li><li>DebugSecurityZoneURL &#8211; specifies XBAP URL used for debugging as per this old <a href=\"http:\/\/o fake the XBAP URL by starting the XBAP application with PresentationHost.exe and supplying the XBAP URL\">article<\/a><\/li><li>Event &#8211; ?<\/li><li>LaunchApplication &#8212; launch ClickOnce application<\/li><li>RegServer &#8211; registers server<\/li><li>UnregServer &#8211; unregisters server<\/li><\/ul>\n\n\n\n<p>Apart from <em>DebugSecurityZoneURL<\/em> that may be useful in some scenarios, my attention focused on the <em>LaunchApplication<\/em>. Not because it can launch ClickOnce application, but because it&#8230; launches <em>iexplore.exe<\/em> if it cannot find anything to launch. <\/p>\n\n\n\n<p>And as it turns out it relies on a environment variable value while resolving the path to <em>iexplore.exe<\/em>. In certain configurations (32-bit <em>presentationhost.exe<\/em> executed in a 64-bit environment) it allow us to launch application of our choice. That is, new lolbin is born.<\/p>\n\n\n\n<p>If we fake the value of ProgramW6432<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">set ProgramW6432=c:\\test<\/pre>\n\n\n\n<p>and then launch<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">c:\\windows\\syswow64\\PresentationHost.exe foo<\/pre>\n\n\n\n<p>It will attempt to launch <em>Internet Explorer\\IEXPLORE.EXE<\/em> from a folder <em>ProgramW6432<\/em> refers to e.g. <em>c:\\test\\Internet Explorer\\IEXPLORE.EXE<\/em>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"482\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/02\/xbap_2-1024x482.gif\" alt=\"\" class=\"wp-image-7698\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/02\/xbap_2-1024x482.gif 1024w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/02\/xbap_2-300x141.gif 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/02\/xbap_2-768x362.gif 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>As a side note, I am providing a copy of the article I referred to just in case it disappears from web. archive.org:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"751\" height=\"669\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/02\/xbap_1.png\" alt=\"\" class=\"wp-image-7697\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/02\/xbap_1.png 751w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/02\/xbap_1-300x267.png 300w\" sizes=\"(max-width: 751px) 100vw, 751px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PresentationHost.exe is a known LOLBIN so I approached it with a caution. To my surprise, I discovered that it accepts a number of command line arguments: Embedding &#8211; running as a server (?) Debug &#8211; enables debugging (see next point) &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2021\/02\/08\/misre-presentation-host\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7696"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7696"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7696\/revisions"}],"predecessor-version":[{"id":7699,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7696\/revisions\/7699"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}