There’s been some really interesting security research done recently around obscure Windows executables with interesting features. Some of them auto-elevate and bypass UAC, some execute code, and some package scripts into executables. subTee has been posting about many of these discoveries for a few years now.
iexpress.exe resurfaced. Apparently it’s an old trick used by graybeard pentesters going back to the dawn of NT, but I wasn’t in the game back then so I figured I’d write it up this time around.
First, you’re going to need a PS1 containing whatever PowerShell script you’re looking to run. You can’t pass parameters using this method, so you’ll need to bake them into your script.
iexpress.exeas an administrator.
- Select Create new Self Extraction Directive file and then click Next.
- Select Extract files and run an installation command and then click Next.
- Name your package something awesome and then click Next.
- Select No prompt and then click Next again.
- Select Do not display a license and then click Kangaroo. Just kidding! Click Next.
- Click Add and browse to the location of your PowerShell script. Click Next.
- In the Install Program field, enter
PowerShell.exe -NonI -NoP -Exec Bypass -W Hidden -File evil.ps1and then click Next.
- Select Hidden and then click Next.
- Select No message and then click Next.
- Browse for the desired output path for your shiny new executable, and then click Next.
- Select No restart and then click Next.
- Select Don’t save and then click Next.
- Click Next.
- Click Finish.
And presto! You have a PS1 embedded in an EXE that you can drop and run anywhere!
If you’re interested in automating this process a bit, the SED file contains all the parameters you’ll need to do so. I’ve added comments behind the relevant sections below:
[Version] Class=IEXPRESS SEDVersion=3 [Options] PackagePurpose=InstallApp ShowInstallProgramWindow=1 HideExtractAnimation=0 UseLongFileName=0 InsideCompressed=0 CAB_FixedSize=0 CAB_ResvCodeSigning=0 RebootMode=N InstallPrompt=%InstallPrompt% DisplayLicense=%DisplayLicense% FinishMessage=%FinishMessage% TargetName=%TargetName% FriendlyName=%FriendlyName% AppLaunched=%AppLaunched% PostInstallCmd=%PostInstallCmd% AdminQuietInstCmd=%AdminQuietInstCmd% UserQuietInstCmd=%UserQuietInstCmd% SourceFiles=SourceFiles [Strings] InstallPrompt= DisplayLicense= FinishMessage= TargetName=C:\Users\liam\Desktop\calcer.exe // Output filename FriendlyName=evil // Doesn't really matter AppLaunched=powershell.exe -exec bypass -nop -noni -w hidden -file evil.ps1 // Command to run PostInstallCmd=<None> AdminQuietInstCmd= UserQuietInstCmd= FILE0="evil.ps1" // File to Embed [SourceFiles] SourceFiles0=C:\Users\liam\Desktop\ [SourceFiles0] %FILE0%=