Open Bl4ckM1rror opened 1 year ago
Hi,
Thanks :).
I used Advanced Installer to create MSI and RBS file. You may want to change Execute="deferred" to Execute="rollback"? I didnt use wix so not very familiar with it.
Thank u for the quick reply :) I edited from Execute="deferred" to Execute="rollback", but it didn't work.
Anyway, I read a lot about the documentation, and if I have understood correctly the entire process is:
Get-ChildItem -Path C:\ -Filter *.rbs -Recurse -Force -ErrorAction SilentlyContinue
and I should find an .rbs (Rollback script) file into C:\Config.Msi folderdid I understand correctly? if so, can I use both C# and C++? and Console or Application?
Thanks a lot!
I read this thread and its really helpful. Thanks for the pointers on using Advanced Installer and snatching the rbs file from the C;\Config.msi folder. It worked for me.
In order to configure the rbs file, one can install Advanced Installer, create a new Enterprise installer package, generate two custom actions (one deferred and one rollback), and sequence the rollback custom action just before the deferred custom action. I used "Launch EXE with Working Directory" for the rollback Custom Action type, and I set "File Path" as cmd.exe and "Command Line" as the command you want to execute. Working directory can be anything. Build the installer.
Before running the installer, run a powershell command (with administrator rights) to loop while trying to look out for any rbs file in the C:\config.msi folder and copy it to a writable folder. Then run the installer. When the installation completes, you should see a rbs file in the copied folder.
After changing from Execute="deferred" to execute="rollback" it did not worked me not able to spawn the cmd.exe with elevated privileges can you share the rbs file which opens cmd.exe with elevated privileges
Hi, Congratulations on your project, it is really a awesome research!
One question: I have an issue with the trigger of the .rbs file.
I have created the following .msi which successfully triggers the payload (cmd.exe) as can be seen from the PoC.
The problem is that when I replace cmd.rbs with my .rbs (inside C:\Config.Msi), nothing happens.
This is my source code for the execution of my payload :
Can you help me? Thanks in advance.