‣

Index

Another way to gain code execution on a client system with Phishing is through the use of JavaScript attachments. This is because by default, JavaScript files will execute when clicked on in Windows.

Basic Dropper in JavaScript

JavaScript Execution

In Windows, a file's format is identified by the file extension and not its actual content. Additionally, file extensions are often associated with default applications.

Unfortunately, by default PowerShell files open in Notepad as its default program. JavaScript files, however, open in Windows-Based Script Host, meaning they will be executed.

Outside the context of the Browser sandbox, JavaScript has less security restrictions when executed directly on a host.

‣

Example:

Executable dropper

‣

The following JavaScript code will download a remote Meterpreter executable and execute it. Note, this causes a copy of the exe file to save to disk which increases the chance of detection.

JavaScript & C#

To improve our Jscript tradecraft, and run our payload completely from memory, we'll invoke Win32 APIs.

There is no known way to invoke the Win32 APIs directly from Jscript, we'll instead embed a compiled C# assembly in the Jscript file and execute it.

Create your shellcode in Visual Studio and compile it.

Win32 API calls from C#

DotNetToJscript

Embed GitHub

Download and unzip the above project repository
Open the Project in VS (DotNetToJScript.sln)
Navigate to the Solution Explorer and open TestClass.cs under the ExampleAssembly project.
Update the TestClass.cs to the desired C# code and compile as a .dll assembly Build>Build Solution.
In the project file, copy, \DotNetToJScript\bin\Release\DotNetToJScript.exe, \DotNetToJScript\bin\Release\NDesk.Options.dll and \ExampleAssembly\bin\Release\ExampleAssembly.dll to a common location, example, c:\tools.
Run the following command:

.\DotNetToJScript.exe .\ExampleAssembly.dll --lang=Jscript --ver=v4 -o demo.js

Creates a JavaScript file with the compiled assembly from TestClass.cs