JS Files

- DotNetToJscript

The default application for .js files is the Windows-Based Script Host. This means that if we double-click a .js file, the content will be executed, but Jscript has some limitations, in order to make a victim execute a jscript that runs C# code behind the scenes, we will rely on DotNetToJscript.

First, we need to download the DotNetToJscript project from GitHub or use the version stored locally at C:\Tools\DotNetToJscript-master.zip on the Windows 10 development machine.

Then we extract it and open that project with Visual Studio.

Once we’ve opened DotNetToJscript in Visual Studio, we’ll navigate to the Solution Explorer and open TestClass.cs under the ExampleAssembly project.

Here we have to replace the content with the C# Payload we want.

After that, switch from Debug to Release mode and compile the entire solution with Build > Build Solution.

Then, to make DotNetToJscript work correctly, we will copy to the compiled C# DLL from ExampleAssembly folder or the name that we put, DotNetToJscript.exe and NDesk.Options.dll to the folder we are going to compile our Jscript.

Once these files are in place, to compile the project:

DotNetToJScript.exe ExampleAssembly.dll --lang=Jscript --ver=v4 -o demo.js

! Jscript will execute in a 64-bit context by default so we have to generate a 64-bit, leave DotNetToJscript in "Any CPU" and set ExampleAssembly to "x64".

When creating our C# Payload, before compiling it into a DLL to convert into a Js file, we first need to take in count that when writting the C# code we need to add necesary namespaces:

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

Also, note that any declarations using DllImport must be placed in the relevant class, but outside the method it is used in. In this case, we need to put them in the TestClass, example:

[ComVisible(true)]
public class TestClass
{
// Here we put the declarations using DllImport
}

Next, we’ll add the same shellcode and method calls inside the TestClass method as in our standalone project:

public TestClass()
{
//shellcode, for example
}

- SharpShooter

SharpShooter is “a payload creation framework for the retrieval and execution of arbitrary C# source code”

git clone https://github.com/mdsecactivebreach/SharpShooter.git

cd SharpShooter/

pip install -r requirements.txt

Once installed, we must generate our c# shellcode, for example with msfvenom, and save it in a txt file. Then to create the payload:

SharpShooter.py --payload js --dotnetver 4 --stageless --rawscfile /var/www/html/shell.txt --output test

! The term stageless for SharpShooter refers to whether the entire Jscript payload is transferred at once, or if HTML smuggling is used with a staged Jscript payload.