AI-Assisted Reverse Engineering of an EXE Reveals Zero-Click Local RCE

Event Overview

The penetration test targeted an aging web application that performed client‑side encryption of query strings. Conventional attacks (SQL injection, request tampering) failed, prompting the researcher to fuzz the JavaScript function downSetup with a crafted down parameter. This triggered the download of an executable file, which became the entry point for further analysis.

Technical Analysis

EXE File Analysis

The downloaded binary was identified as a .NET assembly referencing Newtonsoft.Json and WebSocketSharp, with its dependencies bundled via Costura. Using AI‑driven prompts, all embedded strings were extracted and grouped by category. Notable strings included:

ehdgoanfrhkq1234
OfficeHDWebHard!
SOFTWARE\JiranSecurity\OfficeHARD REDService
explorer.exe "{0}"

The first two 16‑byte strings, located at adjacent heap offsets, were suspected to be encryption key material. Standard cryptographic libraries (Python cryptography, OpenSSL) could not decrypt the payload because the binary implements a custom key‑schedule algorithm.

To overcome this, AI generated a PowerShell script that used .NET reflection to invoke the binary’s internal decryption method, analogous to method hooking in Android dynamic analysis. The script successfully produced a decrypted INI configuration file, revealing the update infrastructure and communication logic.

Cross‑Site WebSocket Hijack (CSWSH)

The INI showed that the application starts a local WebSocket server at ws://127.0.0.1:3100 without validating the Origin header. Consequently, any webpage can open a WebSocket connection to the service and issue commands.

A proof‑of‑concept JavaScript snippet sent the command {GET: 'VERSION'} and received the service version, confirming controllability.

RCE Gadget

The WebSocket protocol defines several commands. The RUN: 'AUTH' command invokes CreateProcessAsUser but treats shell meta‑characters ( &&, |, ;) as literals, preventing command injection.

After repeated failures, the researcher revisited commands marked as FAIL. AI completed the list of application name variants found in the binary, exposing a fallback branch: when the target application is absent, the binary executes explorer.exe "{URL}", passing the supplied URL directly to the shell.

Sending the command {RUN: 'DRIVE', URL: 'calc.exe'} caused the service to run explorer.exe "calc.exe", launching the Windows calculator without any user interaction.

Attack Chain Summary

Craft a malicious HTML page that opens a WebSocket connection to ws://127.0.0.1:3100.

A victim visits the page while the vulnerable application is installed.

The browser connects to the local WebSocket service, which lacks Origin validation.

The page sends {RUN: 'DRIVE', URL: 'calc.exe'}.

The service falls back to the explorer.exe "{URL}" path, executing calc.exe and achieving a zero‑click remote code execution.

Related Findings

The same pattern—listening on 127.0.0.1 without Origin checks—was previously disclosed by Tavis Ormandy in 2018 for the Electrum wallet’s local JSON‑RPC service, allowing arbitrary websites to interact with the service.

Mitigation Recommendations

Validate the Origin header on all local WebSocket connections.

Introduce per‑instance authentication tokens in URLs or request parameters.

Combine Origin validation with token checks for defense‑in‑depth.