Shopping for LOLbins

2021-06-11 07:13:59 Author: www.hexacorn.com
觉得文章还不错?,点我收藏



In this Twit that I posted a few weeks ago I demoed how to use older versions of Photoshop and Illustrator to execute calculator via their internal scripting engine that is accessible via COM from e.g. Visual Basic Script:

CreateObject("Photoshop.Application").DoJavaScript("File(""c:/windows/system32/calc.exe"").execute();")

or

CreateObject("Photoshop.Application").DoJavaScriptFile(JSPath)

where JSPath points to a JavaScript file with the following content:

File("c:/windows/system32/calc.exe").execute();

The “Photoshop.Application” object name (ProgID) can be replaced with “Illustrator.Application”, but the trick doesn’t work with “InDesign.Application” and “Soundbooth.Application”. And of course, you can use ProgID variants of the object names that are version-dependent e.g. “Photoshop.Application.<version>”.

One could potentially package some parts of Creative Suite, register appropriate Registry entries to ensure COM objects can be instantiated and potentially run the whole business logic from there (signed, trusted executables), but it would be cumbersome and it would quite easily detectable – all the processes would have the svchost.exe as a parent process and they use “/Automation” as their command line arguments.




觉得文章还不错?,点我收藏



如果文章侵犯到您的版权,请联系我:buaq.net[#]pm.me