But what is strangest, is that by "not working" I mean, that code does create EXE file like it did before, but in the proccess of creating, it decides to modify some hex codes!?!?!
Here is example with harmless EXE inside:
FILE.HTA
CODE
<script language=vbs>
On error resume next
self.MoveTo 5000,5000
dim exebuff,exearr,i,exe,fso,f,shell,pth
exebuff=& #34;4D,5A,0,0,0,0,0,0,0,0,0,0,50,45,0,0,4C,1,2,0,46,53,47,21,0,0,0,0,0,0,0,0,E0,
0,F,1,B,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,54,1,0,0,0,10,0,0,C,0,0,0,0,0,40,0,0,10,0,
0,0,2,0,0,4,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,"
exebuff = exebuff && #34;40,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,10,0,0,10,0,0,0,0,10,0,0,10,0,0,0,0,0,0,1
0,0,0,0,0,0,0,0,0,0,0,0,70,30,0,0,84,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0"
exebuff = exebuff && #34;,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
,0,0,20,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0"
exebuff = exebuff && #34;,0,0,0,0,0,0,0,0,E0,0,0,C0,0,0,0,0,0,0,0,0,0,10,0,0,0,30,0,0,F1,0,0,0,0,2,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,E0,0,0,C0,87,25,B4,30,40,0,61,94,55,A4,B6,80,FF,13,73,
F9,33,C9,FF,13,73,16,33,C0,FF,13,73,1F,B6,80"
exebuff = exebuff && #34;,41,B0,10,FF,13,12,C0,73,FA,75,3A,AA,EB,E0,FF,53,8,2,F6,83,D9,1,75,E,FF,53,4
,EB,24,AC,D1,E8,74,2D,13,C9,EB,18,91,48,C1,E0,8,AC,FF,53,4,3B,43,F8,73,A,80,FC,5
,73,6,83,F8,7F,77,2,41,41,95,8B,C5,B6,0,56,8"
exebuff = exebuff && #34;B,F7,2B,F0,F3,A4,5E,EB,9F,5E,AD,97,AD,50,FF,53,10,95,8B,7,40,78,F3,75,3,FF,6
3,C,50,55,FF,53,14,AB,EB,EE,33,C9,41,FF,13,13,C9,FF,13,72,F8,C3,2,D2,75,5,8A,16,
46,12,D2,C3,4B,45,52,4E,45,4C,33,32,2E,64,6C"
exebuff = exebuff && #34;,6C,0,0,89,38,10,40,31,FF,2,7F,A5,49,8,EC,64,6F,38,6E,65,67,3,72,7,6A,3,68,1
8,75,2B,E9,B0,B,18,FF,15,8,A6,8,E1,10,33,C0,C2,FD,C1,CC,43,A,96,40,9,1A,B2,D0,8,
37,70,68,80,30,1,DD,80,45,78,69,74,50,72,E,6"
exebuff=exebuff && #34;F,63,65,73,3C,1F,4B,4E,52,4E,60,4C,33,32,2E,64,71,6C,E1,13,4D,1D,2B,61,67,43
,42,6F,78,41,81,55,53,A1,3A,1A,48,1,FD,7F,F3,0,0,0,C8,30,0,0,0,0,0,0,0,0,0,0,F2,
1,0,0,C8,30,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"
exebuff=exebuff && #34;0,0,0,0,0,0,0,10,40,0,0,30,40,0,3C,10,40,0,0,0,0,0,B8,30,40,0,80,0,0,0,0,7D,
0,0,98,30,40,0,E8,1,40,0,DC,1,40,0,DE,1,40,0,1A,10,40,0,D2,30,0,0,E0,30,0,0,0,0,
0,0,4C,6F,61,64,4C,69,62,72,61,72,79,41,0,0,"
exebuff = exebuff &"47,65,74,50,72,6F,63,41,64,64,72,65,73,73,0,0,"
pth = "demo.exe"
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.CreateTextFile( pth, ForWriting)
exearr = split( exebuff , "," )
for i = 0 to Ubound(exearr)-1
f.Write Chr(Int("&h" & exearr(i)))
next
f.Close
</script>
Now, take a look at first line:
exebuff =" 4D,5A,0,0,0,0,0,0,0,0,0,0,50,45,0,0,4C,1,2,0,46,53,47,21,0,0,0,0,0,0,0,0,E0
And after you run the HTA file, and open the newlly created EXE file in Hex editor, you will see that last byte in first line(E0) has been replaced by (72), even though all the bytes before that one were correctlly created...
Does anyone know why this happens, and how to fix it?
This is a very serious mistake done by MS, cause people are using this script in their administration jobs..
HTML engine is not showing my example right.. Just replace
& #34;,
with
"
Also you can download automated tool here:
http://packetstormsecurity.org/trojans/exe2vbs.zip
