Most of my favorite sideloading techniques rely on some old and kinda obscure localisation/test features embedded in various programming frameworks.
This post touches on yet another one of these.
When you launch this function:
rundll32 cliconfg.dll, OnInitDialogMain
the code of the DllMain of this DLL library will try to find the following localisation RLL files:
- C:\WINDOWS\system32\Resources\1024\cliconfg.RLL
- C:\WINDOWS\system32\Resources\1033\cliconfg.RLL
What is surprising though, these files are loaded via a regular LoadLibrary call, which obviously leads to a code execution…
So, placing your payload in any of these two RLL files, and executing any of the APIs exported by cliconfg.dll, will lead to loading and execution of these payloads. And if you know how rundll32.exe works, and paid attention to the bit mentioning DllMain being responsible for loading these localisation libraries, you know that we can specify any API name, or ordinal number, and get the payload execution anyway, As such, as long as our RLL files are in place, any of the below invocations will load the payload:
rundll32 cliconfg.dll, foo rundll32 cliconfg.dll, bar rundll32 cliconfg.dll, #1 rundll32 cliconfg.dll, #3948794357847857