infosecn1nja
/
LOLBAS
mirror of https://github.com/infosecn1nja/LOLBAS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #21 from giMini/master 

Gpup.md
master
Oddvar Moe 2018-05-21 17:30:59 +02:00 committed by GitHub
parent f54950851a 63bccb246d
commit c5aa721d7e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 102 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
LOLBins.md
View File

@ -91,6 +91,8 @@ If you are missing from the acknowledgement, please let me know (I did not forge
# OTHER NON MICROSOFT BINARIES
[AcroRd32.exe](OtherBinaries/AcroRd32.md)
[Gpup.exe](OtherBinaries/Gpup.md)
[Nlnotes.exe](OtherBinaries/Nlnotes.md)
[Notes.exe](OtherBinaries/Notes.md)
[Nvuhda6.exe](OtherBinaries/Nvuhda6.md)

1
LOLLibs.md
View File

@ -7,6 +7,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
[Advpack.dll](OSLibraries/Advpack.md)
[Ieadvpack.dll](OSLibraries/Ieadvpack.md)
[Ieframe.dll](OSLibraries/Ieframe.md)
[Mshtml.dll](OSLibraries/Mshtml.md)
[Pcwutl.dll](OSLibraries/Pcwutl.md)
[Shdocvw.dll](OSLibraries/Shdocvw.md)
[Zipfldr.dll](OSLibraries/Zipfldr.md)

43
OSLibraries/Mshtml.md Normal file
View File

@ -0,0 +1,43 @@
## Mshtml.dll
* Functions: Execute
```
rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
```
Acknowledgements:
* Pierre-Alexandre Braeken - @pabraeken
Code sample (calc.hta):
```
<html>
<head>
<title>LOLBin</title>
<script language="VBScript">
Sub RunProgram
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "c:\windows\system32\calc.exe"
Self.Close
End Sub
</script>
</head>
<body onload="RunProgram">
<h1>LOLBin</h1>
</body>
</html>
```
Resources:
* https://twitter.com/pabraeken/status/998567549670477824
Full path:
```
c:\windows\system32\Mshtml.dll
c:\windows\sysWOW64\Mshtml.dll
```
Notes:
Detection:

27
OtherBinaries/AcroRd32.md Normal file
View File

@ -0,0 +1,27 @@
## AcroRd32.exe
* Prerequisites
```
Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
```
* Functions: Execute
```
Run AcroRd32.exe
```
Acknowledgements:
* Pierre-Alexandre Braeken - @pabraeken
Code sample:
*
Resources:
* https://twitter.com/pabraeken/status/997997818362155008
Full path:
```
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
```

29
OtherBinaries/Gpup.md Normal file
View File

@ -0,0 +1,29 @@
## Gpup.exe
* Functions: Execute
```
Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
```
Acknowledgements:
* Pierre-Alexandre Braeken - @pabraeken
Code sample:
*
Resources:
* https://twitter.com/pabraeken/status/997892519827558400
Full path:
```
C:\Program Files (x86)\Notepad++\updater\gpup.exe
```
Notes:
Used by Notepad++