Wednesday, September 7, 2016

Shellcode Via JScript / VBScript - Happening Now!

I recently came across a dll called DynamicWrapperX -


http://www.script-coding.com/dynwrapx_eng.html


This is an interesting dll, in that it advertises that you can execute win32 calls inside of Jscript / VBScript.  I cannot vouch for the trustworthiness of this dll.  Meaning, only install this in a test environment.  However, I can vouch that this dll gives you extraordinary access to the win32 API, plus other dlls on the system.


The documentation is a bit esoteric, but once you work through the details you can work out how to call any function.


Here is an example on calling a function to pop a MessageBox.


DX = new ActiveXObject("DynamicWrapperX");                  // Create an object instance.
DX.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l");  // Register a dll function.
res = DX.MessageBoxW(0, "Hello, world!", "Test", 4);        // Call the function.


Let's break that down.


0. Install dynwrapx.dll either for all or just one user, admin not required.
1. Instantiate the DX object
2. Register the user32.dll
a. Parameter Breakdown
b. dll name
c. function name
d. input parameter types
e. return value type
3. Execute the script file, with either regsvr32.exe , or cscript.exe


So if you look at the function MessageBoxW on MSDN you see this:


https://msdn.microsoft.com/en-us/library/windows/desktop/ms645505(v=vs.85).aspx


int WINAPI MessageBox(
 _In_opt_ HWND    hWnd,
 _In_opt_ LPCTSTR lpText,
 _In_opt_ LPCTSTR lpCaption,
 _In_     UINT    uType
);


You see that the return value of the function is int => l
hWnd => h
lpText => w
lpCaption => w
uType => u


These mappings are in the documentation.  You chain all that together and get the "i=hwwu" and the "r=l" inputs to the Register Function


So. I decided to see if I could get this thing to execute shell code.  

Yup!


Register 2 functions


VirtualAlloc, and CreateThread  Then leverage the built-in NumPut(Var, Address, [,offset], [,type] function to write your shellcode into memory.  High level steps are:


1. Allocate a Block of mem RWX via VirtualAlloc- The return of this is the base address of the allocation.
2. Loop through your shellcode and write each byte into the space allocated in step 1.
3. Call CreateThread


Sure enough it works perfectly.  The one caveat is that this will only execute x86 shellcode. So when you call regsvr32 or cscript against your script file, you need to call from syswow64 on an x64 system.  


Example SCT Here:
Example JS Here:
Example Dropper Fully Automated:  
^This last example downloads, registers dll, executes Shellcode.  Makes no effort to clean up.

Again, I did not write this dll, so I can only recommend you execute this in a test environment.


According to one researcher I spoke with, this is being used in the wild. So you may want to sweep your environment or logs for the hash. Unless, you have a need for your users to access win32 API this way, its probably not supposed to be there...


I also wanted to give a shout to b33f - @FuzzySec for the shellcode posts here:
This is a great blog all around.


Screen Shot 2016-08-31 at 1.57.05 PM.png

Thats all I have for today.

Cheers

Casey
@subTee

2 comments:

  1. This is the technique used in metasploit vbsmem payload. They say it's a "fileless" payload, but they first drop dynawrap.dll to disk.

    ReplyDelete
    Replies
    1. Great point. Thanks for pointing that out.

      Delete