Sergio

I don't know of a browser out there that wouldn't alert the user before executing something through a browser. The whole advantage of firing off a wscript script file is running behind the scenes. That script could simply download and run the executable, or download something like srvany and install that exe as a service. Of course, this whole discussion assumes that stealthiness is desirable. Sergio

You don't have much room to enter much of a program in the Run... text box, but if that small program creates a socket connection (http for instance) to a web site containing a more interesting program, that program could be downloaded and run in the background if one were so inclined. Sergio

I use copy con to build text files from the command-line, but it would be difficult to represent the CTRL-Z character in the Run... window text box. Sergio

I've been playing around with what could be done from the Windows Run window and have the following sample that you guys might be able to build more from. 1. Open Run window (window-R) 2. Create a script file (VBScript for this sample) and execute it with the following command: cmd /c "echo wscript.echo "hello" > c:\temp\test.vbs && start wscript c:\temp\test.vbs" A couple of notes about the command: a. cmd /c is used so that the command window will close on completion b. I'm using echo to build a text file in some directory (make sure it's a directory that exists and you have rw rights to!) c. If you want to build a script with multiple lines, you can just use another echo statement, but be sure to use >> instead of > to append to the script file you're building d. && is used to separate the commands e. I'm calling the start command instead of wscript directly so that the cmd process doesn't have to wait for the VBScript file to complete before closing the command window Not a perfect solution, and certainly not a sophisticated payload in this sample, but I'm sure you guys are more creative than me. Sergio