Thursday, October 21, 2010

Download and Execute Script Shellcode on Windows 7

I have just released a new version of my Download and Execute Script shellcode which now works on Windows 7.

Essentially, the previous method I was using to find the base address of kernel32 was not Windows 7 compatible, so I have now started using this method discovered by SkyLined.

Taking into account some other "efficient-ising" I did while I was making this change, this comes in at only (IIRC) 3 bytes larger than the original.

I haven't tested this on anything other than Windows 7 so far, but hopefully this should still work on Windows 2000 and up.  If you find otherwise, let me know.

See the original blog post on the shellcode here for more information on how to use it.

I still havent been bothered to enable EXITFUNC changing options in the Metasploit module, because I had no need to change this, but if anyone wants this functionality let me know and I will add it.

Download here:

These new versions replace the originals.


  1. It works but only if i exploit the bug in iexplorer.
    I used java_basic_service exploit and i open the malicious URL from iexplorer and it works. But it doesnt on firefox or chrome...

    Thanks for sharing.

  2. Metasploiter

    I assume you have tried another payload for that exploit in Chrome/Firefox to confirm that the problem is specifically with my DE payload?

    I'll check to see if I can reproduce this when I have a spare moment.

  3. Hi, I tested the shellcode to run into the exploit java_docbase_bof.rb on Windows 7 with IE 8.0.

    It didn't worked till I decide to disable the protected mode into IE 8.0. Is it possible to evade IE protected mode ?

    Thanks for sharing

  4. I just found the technique to bypass the restriction of IE protected mode. Thanks for sharing this great shellcode.

  5. it doesn't execute the VBscript after downloading...........

  6. Arun

    It works for me. More information? How are you troubleshooting this?

  7. Hi, is this possible to specify the directory where goes the script instead of the current working directory?

  8. Night_Fall

    Yes, but only by changing the shellcode slightly. Not specifying the directory to save the code in and using the default of the present working directory saves some shellcode space, so thats the way I chose to do it. You could hardcode it into the asm code, into the db entry after the cmddata label.

    Stick the desired path in before the "a.vbs" in the following.

    db "wscript //B a.vbs", 0

    I havent tested that, but based on the quick glance over the assembly I think it should work - the URLDownloadToFileA function takes the filename to save to from an offset 12 bytes into that string.

    The Metasploit module could also be modified reasonably simply to do this. There are some more details about that here:

  9. I'm kinda new to asm and I still learn but changing the:
    db "wscript //B a.vbs", 0
    db "wscript C:\a.vbs", 0
    with also this:
    lea edx, [esi + 12]
    lea edx, [esi + 8]

    is working great in order to provide a valid writable directory.

    I removed the //B in order to have debugging window to tell me if process started.

    so I just switched to this:
    db "wscript //B C:\a.vbs", 0
    lea edx, [esi + 12]

    Thanks for this one lupin, apreciated.

  10. Night_Fall

    No problem, thanks for letting me know that worked. I might look at adding an option to specify the directory in a future version of the Metasploit module.

  11. Not getting the vb to execute tried on both win 32 and 64 any ideas people ??


    1. Its not going to work on a 64 bit process, the shellcode is 32 bit assembly. On 32 bit, confirm that the script is being correctly downloaded and written to disk and that the command line, e.g. 'wscript //B a.vbs' works. Try it in a different process (e.g. use one of these methods to make sure there is nothing unique about the particular process you are using that's stopping this from working.

      Beyond this, you'll need to run it in a debugger to see whats wrong.