Recently had the pleasure of participating in my second @Hacker0x01 LHE, #h14420. We actually ended up winning the bonus for the best desktop bug on Zoom with @NahamSec and @ajxchapman!
Huge thanks to them and everyone else involved with the event!
shmoul
9 posts
shmoul
@shm0ul
21 year old full-time bug bounty hunter from Finland
Joined May 2023
- You should be able to RCE by hosting a webdav / SMB server and using an url like file://host-ip/share/path/to/file.exe Windows does however prompt the user about running an external program, but if the user has e.g java installed you can use a .jar file with no warnings.
- Replying to @NahamSec @Hacker0x01 and 2 othersThanks for the shout out! Let's find some more crazy bugs in Vegas
- Replying to @Oddvarmoec|/test/file.exe (works in file URIs and somewhere else I think? not sure so maybe not a proper path) \??\c:\temp\file.exe \??\UNC\localhost\c$\temp\file.exe (UNC thing also works with \\?\ and \\.\)
- Use a webdav server instead. SMB is such a pain and so inconsistent outside a local network.
- Replying to @ArchAngelDDayCongrats! Best of luck, although I'm certain you'll do great
- Replying to @shm0ul and @renniepakShouldn't have mentioned SMB in the earlier reply 😅 It's not really a good way to go unless you're stealing NTLM creds
- Replying to @shm0ul and @OddvarmoeAlso this may not be exactly on topic but you can also specify the streams in the directory and file: c:\temp:$I30:$INDEX_ALLOCATION\file.exe::$DATA