A small collection of unobfuscated code-execution primitives in different languages
A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one.
Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters:
-
cscript.exe- to be used for command-line, dynamic script execution. Doesn't load AMSI -
wscript.exe- For general scripts execution. This one loads AMSI
VBScript
-
download-file-and-exec.vbs- Downloads a binary file usingMsxml2.ServerXMLHTTP, stores it to the diskAdodb.Streamand then launches it viaWscript.Shell Run -
download-powershell-and-exec-via-stdin- Downloads a Powershell script/commands from a given URL and passes them to Powershell'sStdIn -
drop-binary-file-and-launch.vbs- Drops embedded base64 encoded binary file to disk and then launches it. -
wmi-exec-command.vbs- Example of VBScript code execution via WMI class'Win32_Processstatic methodCreate -
wscript-shell-code-exec.vbs- Code execution viaWScript.Shellin a hidden window. -
wscript-shell-stdin-code-exec.vbs- Code execution viaWScript.Shellin a hidden window through a command passed from StdIn topowershell
JScript
XSL
XSL files can be executed in the following ways:
- Using
wmic.exe:
wmic os get /format:"jscript-xslt-template.xsl"
Templates:
-
hello-world-jscript-xslt.xsl- A sample backbone for XSLT file with JScript code showing a simple message box. -
wscript-shell-run-jscript-xslt.xsl- JScript XSLT withWScript.Shell.Runmethod
COM Scriptlets
Sample code execution with regsvr32 can be following:
regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll
wscript-shell-run-jscript-scriptlet.sct- SCT file with JSCript code execution viaWScript.Shell.Run
HTA
HTA files are HTML Applications
wscript-shell-run-vbscript.hta- A backbone forWScript.Shell.Runvia VBScript