I recently came across a dll called DynamicWrapperX -
http://www.script-coding.com/dynwrapx_eng.html
This is an interesting dll, in that it advertises that you can execute win32 calls inside of Jscript / VBScript. I cannot vouch for the trustworthiness of this dll. Meaning, only install this in a test environment. However, I can vouch that this dll gives you extraordinary access to the win32 API, plus other dlls on the system.
The documentation is a bit esoteric, but once you work through the details you can work out how to call any function.
Here is an example on calling a function to pop a MessageBox.
DX = new ActiveXObject("DynamicWrapperX"); // Create an object instance.
DX.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l"); // Register a dll function.
res = DX.MessageBoxW(0, "Hello, world!", "Test", 4); // Call the function.
Let's break that down.
0. Install dynwrapx.dll either for all or just one user, admin not required.
1. Instantiate the DX object
2. Register the user32.dll
a. Parameter Breakdown
b. dll name
c. function name
d. input parameter types
e. return value type
3. Execute the script file, with either regsvr32.exe , or cscript.exe
So if you look at the function MessageBoxW on MSDN you see this:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms645505(v=vs.85).aspx
int WINAPI MessageBox(
_In_opt_ HWND hWnd,
_In_opt_ LPCTSTR lpText,
_In_opt_ LPCTSTR lpCaption,
_In_ UINT uType
);
You see that the return value of the function is int => l
hWnd => h
lpText => w
lpCaption => w
uType => u
These mappings are in the documentation. You chain all that together and get the "i=hwwu" and the "r=l" inputs to the Register Function
So. I decided to see if I could get this thing to execute shell code.
Yup!
Register 2 functions
VirtualAlloc, and CreateThread Then leverage the built-in NumPut(Var, Address, [,offset], [,type] function to write your shellcode into memory. High level steps are:
1. Allocate a Block of mem RWX via VirtualAlloc- The return of this is the base address of the allocation.
2. Loop through your shellcode and write each byte into the space allocated in step 1.
3. Call CreateThread
Sure enough it works perfectly. The one caveat is that this will only execute x86 shellcode. So when you call regsvr32 or cscript against your script file, you need to call from syswow64 on an x64 system.
Example SCT Here:
https://gist.github.com/subTee/ca6ab8ec75ec38c213da580cd0de30fe
Example JS Here:
https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04
Example Dropper Fully Automated:
https://gist.github.com/subTee/aa548b36b5d3c8f07e2024ab39217712
^This last example downloads, registers dll, executes Shellcode. Makes no effort to clean up.
Again, I did not write this dll, so I can only recommend you execute this in a test environment.
According to one researcher I spoke with, this is being used in the wild. So you may want to sweep your environment or logs for the hash. Unless, you have a need for your users to access win32 API this way, its probably not supposed to be there...
I also wanted to give a shout to b33f - @FuzzySec for the shellcode posts here:
https://www.fuzzysecurity.com/tutorials/expDev/6.html
This is a great blog all around.
Thats all I have for today.
Cheers
Casey
@subTee