{"id":6863,"date":"2019-10-29T18:29:29","date_gmt":"2019-10-29T18:29:29","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6863"},"modified":"2019-10-29T18:33:13","modified_gmt":"2019-10-29T18:33:13","slug":"rundll32-with-a-vbscript-protocol","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/10\/29\/rundll32-with-a-vbscript-protocol\/","title":{"rendered":"Rundll32 with a vbscript: protocol"},"content":{"rendered":"\n<p>Inspired by a question <a href=\"https:\/\/twitter.com\/a66ot\/status\/1189037911649538054?s=20\">posted<\/a> on Twitter by <a href=\"https:\/\/twitter.com\/a66ot\">Tim<\/a>, I tried to modify a well-known <em>rundll32 javascript: <\/em>trick (introduced by poweliks around July 2014 if I am not wrong) to use <em>vbscript<\/em>. I felt we should be able to make the code work the very same way as the JavaScript. <\/p>\n\n\n\n<p>It turned out to be a bit tricky, because vbscript doesn&#8217;t seem to like any whitespace characters in the payload, including encoded spaces, new lines and carriage returns. <\/p>\n\n\n\n<p>I eventually decided to follow a different path and focused on a fact that a first argument passed from this sneaky payload to VBScript interpreter is a string. And since strings can be not only commands, but also actual data bits that can be added together I tried doing so. Using a <em>String<\/em> function I encapsulated \/ casted the result of my calculator-launcher code to a string&#8230; and the trick worked like a <a href=\"https:\/\/twitter.com\/Hexacorn\/status\/1189191785978814464?s=20\">charm<\/a>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"996\" height=\"592\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/10\/rundll32_vbscript.gif\" alt=\"\" class=\"wp-image-6864\"\/><\/figure>\n\n\n\n<p>Here&#8217;s a snippet:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>rundll32 vbscript:&#8221;\\..\\mshtml,RunHTMLApplication &#8220;+String(CreateObject(&#8220;Wscript.Shell&#8221;).Run(&#8220;calc.exe&#8221;),0) <\/p><\/blockquote>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Inspired by a question posted on Twitter by Tim, I tried to modify a well-known rundll32 javascript: trick (introduced by poweliks around July 2014 if I am not wrong) to use vbscript. I felt we should be able to make &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/10\/29\/rundll32-with-a-vbscript-protocol\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6863"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6863"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6863\/revisions"}],"predecessor-version":[{"id":6866,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6863\/revisions\/6866"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}