HTA delivery failing with remote URL about scarecrow HOT 8 CLOSED

Okay, I did some testing and it looks like there is some sort of issue with it pulling a large file over via mshta. I am going to do some more testing to address this but it might require a different template for mshta.

from scarecrow.

Sorry for the delay it looks like when the file is being pulled remotely the COM object "ADODB.Stream" times out due to some slowness (probably because mshta uses Internet Explorer Com objects to download content) and loading the base64 encoded payload into memory to then convert. By changing the serialized format and omitting the use of ADODB.Stream it worked.

I am glad it worked for you and thank you very much I appreciate the feedback.

from scarecrow.

So before I can assit, I need to ask you have two different loaders select in both your examples. I only ask because one is excel which would change the situation. Can you please confirm.

from scarecrow.

Can you please clarify your question?

I tried both methods (excel and control) separetely, and the exhibited behaviour is the same, i.e. the HTA file only executes if it is already located locally.

I analysed what's happening in Process Explorer and noticed that control.exe and rundll32.exe do not spawn when calling the file from a remote URL (for control loader).

from scarecrow.

Update: I have a working PoC. I am not 100% what it was by it was related to the rebuilding of the .cpl file on disk. I am gonna do some more testing but I should have an update in a day to address this.

from scarecrow.

Awesome. Would love to hear more about the root cause.

from scarecrow.

Code pushed in 2.1. Please try it out.

from scarecrow.

Just tested it out using the Control loader and HTA delivery, and it worked perfectly when calling it with mshta.exe .
May I ask what the issue was with the original code and how did you fix it?

Thanks a lot! This framework is underrated :)

from scarecrow.