Monday, August 31, 2015

JScript .NET Who Cares & Its Not As Bad As You Think...

tl;dr This is not client side arbitrary shellcode execution.

Recently I released a Proof Of Concept Script to demonstrate executing shellcode via JScript .NET.

Why?

I just wanted to see if it could be done.

JScript .NET is a .NET programming language developed by Microsoft. It allows you to compile binaries using the jsc compiler provided with the .NET framework. The compiler is found in places like:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js

This produces a binary called Shellcode.exe, which is new and untrusted and will get blocked by any Application Whitelist.

Why bother doing this?

I wanted to learn.  To see what it would take to work, and see if there are any other applications.

Turns are a couple useful applications:

1. Embed the JScript into an ASPX application, to achieve server side execution/persistence
    Seen Here: JScript Aspx Integration
2. Use of the eval function for dynamic execution and obfuscation.
3. JS files can pass many filters and then be compiled locally.

So there you have it. I wanted to see if I could use reflection to access native api functions via JScript .NET.

It is possible.




So, its not as bad as you may be thinking.

Cheers!

Casey
@subTee


1 comment: