Shopping for LOLbins
2021-06-11 07:13:59 Author: www.hexacorn.com(查看原文) 阅读量:165 收藏

June 10, 2021 in Archaeology, Living off the land, LOLBins

In this Twit that I posted a few weeks ago I demoed how to use older versions of Photoshop and Illustrator to execute calculator via their internal scripting engine that is accessible via COM from e.g. Visual Basic Script:

CreateObject("Photoshop.Application").DoJavaScript("File(""c:/windows/system32/calc.exe"").execute();")

or

CreateObject("Photoshop.Application").DoJavaScriptFile(JSPath)

where JSPath points to a JavaScript file with the following content:

File("c:/windows/system32/calc.exe").execute();

The “Photoshop.Application” object name (ProgID) can be replaced with “Illustrator.Application”, but the trick doesn’t work with “InDesign.Application” and “Soundbooth.Application”. And of course, you can use ProgID variants of the object names that are version-dependent e.g. “Photoshop.Application.<version>”.

One could potentially package some parts of Creative Suite, register appropriate Registry entries to ensure COM objects can be instantiated and potentially run the whole business logic from there (signed, trusted executables), but it would be cumbersome and it would quite easily detectable – all the processes would have the svchost.exe as a parent process and they use “/Automation” as their command line arguments.


文章来源: https://www.hexacorn.com/blog/2021/06/10/shopping-for-lolbins/
如有侵权请联系:admin#unsafe.sh