Packaging PS1

March 28, 2017

There’s been some really interesting security research done recently around obscure Windows executables with interesting features. Some of them auto-elevate and bypass UAC, some execute code, and some package scripts into executables. subTee has been posting about many of these discoveries for a few years now.

Recently iexpress.exe resurfaced. Apparently it’s an old trick used by graybeard pentesters going back to the dawn of NT, but I wasn’t in the game back then so I figured I’d write it up this time around.

First, you’re going to need a PS1 containing whatever PowerShell script you’re looking to run. You can’t pass parameters using this method, so you’ll need to bake them into your script.

  1. Launch iexpress.exe as an administrator.
  2. Select Create new Self Extraction Directive file and then click Next.
  3. Select Extract files and run an installation command and then click Next.
  4. Name your package something awesome and then click Next.
  5. Select No prompt and then click Next again.
  6. Select Do not display a license and then click Kangaroo. Just kidding! Click Next.
  7. Click Add and browse to the location of your PowerShell script. Click Next.
  8. In the Install Program field, enter PowerShell.exe -NonI -NoP -Exec Bypass -W Hidden -File evil.ps1 and then click Next.
  9. Select Hidden and then click Next.
  10. Select No message and then click Next.
  11. Browse for the desired output path for your shiny new executable, and then click Next.
  12. Select No restart and then click Next.
  13. Select Don’t save and then click Next.
  14. Click Next.
  15. Click Finish.

And presto! You have a PS1 embedded in an EXE that you can drop and run anywhere!

If you’re interested in automating this process a bit, the SED file contains all the parameters you’ll need to do so. I’ve added comments behind the relevant sections below:

[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=0
UseLongFileName=0
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles
[Strings]
InstallPrompt=
DisplayLicense=
FinishMessage=
TargetName=C:\Users\liam\Desktop\calcer.exe                                   // Output filename
FriendlyName=evil                                                             // Doesn't really matter
AppLaunched=powershell.exe -exec bypass -nop -noni -w hidden -file evil.ps1   // Command to run
PostInstallCmd=<None>
AdminQuietInstCmd=
UserQuietInstCmd=
FILE0="evil.ps1"                                                              // File to Embed
[SourceFiles]
SourceFiles0=C:\Users\liam\Desktop\
[SourceFiles0]
%FILE0%=