Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Shellcode Via JScript / VBScript - Happening Now!

$
0
0

I recently came across a dll called DynamicWrapperX -


http://www.script-coding.com/dynwrapx_eng.html


This is an interesting dll, in that it advertises that you can execute win32 calls inside of Jscript / VBScript. I cannot vouch for the trustworthiness of this dll. Meaning, only install this in a test environment. However, I can vouch that this dll gives you extraordinary access to the win32 API, plus other dlls on the system.


The documentation is a bit esoteric, but once you work through the details you can work out how to call any function.


Here is an example on calling a function to pop a MessageBox.


DX = new ActiveXObject("DynamicWrapperX"); // Create an object instance.

DX.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l"); // Register a dll function.

res = DX.MessageBoxW(0, "Hello, world!", "Test", 4); // Call the function.


Let's break that down.


0. Install dynwrapx.dll either for all or just one user, admin not required.

1. Instantiate the DX object

2. Register the user32.dll

a. Parameter Breakdown

b. dll name

c. function name

d. input parameter types

e. return value type

3. Execute the script file, with either regsvr32.exe , or cscript.exe


So if you look at the function MessageBoxW on MSDN you see this:


https://msdn.microsoft.com/en-us/library/windows/desktop/ms645505(v=vs.85).aspx


int WINAPI MessageBox(

_In_opt_ HWND hWnd,

_In_opt_ LPCTSTR lpText,

_In_opt_ LPCTSTR lpCaption,

_In_ UINT uType

);


You see that the return value of the function is int => l

hWnd => h

lpText => w

lpCaption => w

uType => u


These mappings are in the documentation. You chain all that together and get the "i=hwwu" and the "r=l" inputs to the Register Function


So. I decided to see if I could get this thing to execute shell code.

Yup!


Register 2 functions


VirtualAlloc, and CreateThread Then leverage the built-in NumPut(Var, Address, [,offset], [,type] function to write your shellcode into memory. High level steps are:

1. Allocate a Block of mem RWX via VirtualAlloc- The return of this is the base address of the allocation.

2. Loop through your shellcode and write each byte into the space allocated in step 1.

3. Call CreateThread


Sure enough it works perfectly. The one caveat is that this will only execute x86 shellcode. So when you call regsvr32 or cscript against your script file, you need to call from syswow64 on an x64 system.


Example SCT Here:

https://gist.github.com/subTee/ca6ab8ec75ec38c213da580cd0de30fe

Example JS Here:

https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04

Example Dropper Fully Automated:

https://gist.github.com/subTee/aa548b36b5d3c8f07e2024ab39217712

^This last example downloads, registers dll, executes Shellcode. Makes no effort to clean up.

Again, I did not write this dll, so I can only recommend you execute this in a test environment.


According to one researcher I spoke with, this is being used in the wild. So you may want to sweep your environment or logs for the hash. Unless, you have a need for your users to access win32 API this way, its probably not supposed to be there...


I also wanted to give a shout to b33f - @FuzzySec for the shellcode posts here:

https://www.fuzzysecurity.com/tutorials/expDev/6.html

This is a great blog all around.


Shellcode Via JScript / VBScript - Happening Now!

Thats all I have for today.

Cheers

Casey

@subTee


Viewing all articles
Browse latest Browse all 12749

Trending Articles