Regsvr32 running remote script bypassing APPLOCKER

So Alex Ionescu posted this morning about a remote execution via regsvr32.

I tested the POC and what do you know… it WORKS!

First off – Running Alex’s script does give me a Command Prompt2016-04-22

Now I tried this on a guest account and same results – I get a command prompt

So next step – Try to run something that requires Privilege


Ok ok some sanity has returned so default it runs in unprivileged. BUT I can run an whitelisted app from command: CALC.exe, WORD.exe

hmmmm… this is dangerous and my mind is blown at what pivots I can use to privilege escalate.

Stay safe and BIG Thanks to Alex Ionescu for finding this!!!