Catching up with another tweet from 3 months ago.

VMWare Workstation installs cdb.exe debugger for you – you can play around with its features if you happen to find it during engagement. Other than the obvious “I can run and manipulate other processes with it”, here are 2 other ideas:

AeDebug setup

Using -iae -iaec options you can use cdb.exe to install itself as a AeDebug debugger. So, if you do so, cdb.exe will be the signed Microsoft binary doing the dirty deed for you, and you can then swap it with your malicious cdb.exe.

-iae install as AeDebug debugger
-iaec install as AeDebug debugger with given command tail

Launch programs via COMSPEC abuse

Cdb allows us to switch to shell temporarily, a bit like ftp.exe, and lo-and-behold, it relies on COMSPEC environment variable too. Hence we can launch a program via it e.g. like this:

The obvious question is – why – after all, cdb.exe is a debugger and we can launch programs anyway. Apart from the obvious “why not” – this way we can launch a program w/o debugging flags (e.g. DEBUG_ONLY_THIS_PROCESS).