rundll32.exe -sta {3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b} 当然,此示例在特权上下文中加载,但如果普通用户可以影响“已废弃”注册表CLSID的路径元素,则含义可能会变得非常有趣。 通常,这也可以通过Run key或Scheduled Task 实现可行的持久性机制。 利用AWL绕过传统的COM劫持 使用合法的CLSID引用和注册的程序ID...
Let’s use the following command to load our DLL payload with the corresponding CLSID: rundll32.exe -sta {3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b} Granted, this example loads under a privileged context, but the implications *could* become very interesting if a normal user can influence a p...